[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributed Capabilities

From: Marcus Brinkmann
Subject: Re: Distributed Capabilities
Date: Tue, 28 Mar 2006 20:15:08 +0200
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Tue, 28 Mar 2006 12:10:10 -0500,
"Jonathan S. Shapiro" <address@hidden> wrote:
> On Tue, 2006-03-28 at 10:21 +0200, Marcus Brinkmann wrote: 
> > At Mon, 27 Mar 2006 14:05:09 -0500,
> > "Jonathan S. Shapiro" <address@hidden> wrote:
> > > > However, in practice, as Marcus said, everyone is free to run whatever
> > > > OS they may like.
> > > 
> > > Not necessarily. This is an example of one of the *valid* uses of remote
> > > attestation. Attestation gives me the ability to form my associations
> > > with other people selectively. The right to assemble selectively is a
> > > fundamental freedom that is currently not supported in computational
> > > systems.
> > 
> > I don't buy it.  For the possibility to assemble selectively, you only
> > need secrecy and the ability to establish an identity.  For this,
> > normal public key authentication is sufficient.
> This is complete nonsense. The identity you are trying to establish here
> is the identity of the remote *platform*, not the identity of the remote
> *user*.

You said above: "Attestation gives me the ability to form my
associations with other people selectively.  The right to assemble
selectively ...".  I used your (implied) definition of "assemble
selectively", namely the assembling of people by means of
computational systems.

It's not clear to me (even after reading your response) why selective
assembly of people by means of computational systems would include
establishing the identity of any of the involved platforms to anybody
except the person using that platform to participate in the assembly.

> I agree that the user needs to be able to say "no, do not answer that
> identity challenge". However, assuming that the user is *willing* to
> identify, it does not follow that the user is *able* to identify.
> Even if I trust you, Marcus, personally, and even though you personally
> are quite expert, you are simply not capable of giving me any *credible*
> assurance of what is running on your system. The reason is that in
> practice you do not actually *know* what is running on your system.
> Upgrades make it impossible to track this in practice.

That is an argument to make it possible for me to attest, locally,
what software I am running.  It is not an argument for other
participants in the assembly to get any assurance about that beyond my
word for it.

> Further, there are valid circumstances where even if I trust *you*, I
> know that certain possible system configurations are known to be
> compromised, and I therefore cannot trust your system if it is one of
> these configurations -- even if you say that it is okay. The issue here
> is that you are trustworthy but your system is not sufficiently within
> your control.

Although this may or may not be (depending on your definition of
"valid circumstances"), I think it goes clearly beyond the
"fundamental freedom" of "selective assembly", at least as I
understood the term.

Maybe you can elaborate on what these "valid circumstances" would be.

> So: any robust mechanism for selective assembly must answer two
> independent questions:
>   1. Do I trust the remote administrator/user?
>   2. Do I have credible reason to believe that the remote
>      administrator/user is, in fact, in control of their system.

No mechanism can tell you if you "trust" the remote administrator or
user.  I assume you actually meant that the mechanism should establish
the identity of the remote administrator/user.  With this provision, I
already conceded 1.

Number 2 is a question that no mechanism can answer.  The remote user
may sit at the computer next to a bad guy with a gun.  In this case,
the remote user is not in control of their system.  I actually think
that remote attestation does not give you _any_ information on this

I thought I understood what you mean by "selective assembly" of people
with computational means.  This is apparently not the case.  However,
working backwards from your above more detailed description, I would
like to know why you consider it a "fundamental freedom" (as I can't
get your description in line with any of the fundamental freedoms I
know about).

> >   Control over
> > behaviour of others is orthogonal to identification and secrecy.
> The question at hand is not control. It is credibility.
> > To
> > push your analogy further, in a modern society only the state has the
> > executional power to control others (except for emergencies,
> > parentship etc).
> Nonsense. This is a perfect example of thinking wrongly about authority.
> In most modern societies, only the state has the *authority* to execute
> people, but in practice every individual in the world has the *ability*
> to execute people.

Sorry, I meant executive authority, as in separation of powers a la Locke.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]