On Saturday, Sep 27, 2003, at 20:31 US/Eastern, Zooko wrote:
"Jeroen C. van Gelderen" <[EMAIL PROTECTED]> wrote:
There is no way around asking the user because he is the ultimate authority when it comes to making trust decisions. (Side-stepping the issues in a (corporate) environment where the owner of the machine is entitled to restrict its users in any way he sees fit. The point is that the software agent cannot make trust decisions.)
... but you don't always have to *ask* the user, if instead you can infer from
actions that the user already performs.
Oops, I didn't mean to imply that you'd have to ask as much as happens at present! Automatically inferring is pretty much required if Alice is to be able to do a whole day's worth of work without seeing any popups in the steady case. You only ask Alice when you cannot otherwise reliably infer her intentions; That will be necessary at some point. The remaining questions that do get asked then are meaningful and do not condition towards a knee-jerk Click-Yes reaction.
I used to think that a capability desktop would be severely hobbled by the
requirement that the user state a plethora of privilege rules, until I saw
Marc Stiegler's CapDesk demo at the second O'Reilly Emerging Technologies
conference.
In that demo, a perfectly familiar desktop with "File -> Open" and
"File -> Save As" dialogs also serves as a Least-Privilege-enforcing access
control system which protects even a naive and lazy user from a malicious text
editor.
And you can even download and try it for yourself as all of CapDesk is freely available. If that is too much, just download Marc's video demonstration [1]:
http://www.erights.org/talks/skynet/index.html
I truly don't know how much more helpful one can get in order to dispel the perpetuation of these security myths?
See also Ping Yee's research in secure Human Interface.
http://www.sims.berkeley.edu/~ping/sid/
-J
[1] I don't know why the video is available in M$ proprietary format only though :(
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
