On Mon, 2007-01-08 at 02:24 +0100, Marcus Brinkmann wrote: > > The larger harm of the "transparent memory" proposal is that we do not > > (yet) have any comprehensive description of an overall system design > > based on this model, and we certainly have no security design for it > > (yet). > > Let's cut to the chase. The issue is not the lack of formal > descriptions and models. The trade-offs are clear enough. The real > issue is that my proposal makes it impossible or hard to express and > implement certain security policies compared to EROS.
The tradeoffs are not at all clear to me, which is exactly what I said. This is true because I still do not understand the full picture of the design that you propose. So far as I know, there is no comprehensively captured description (yet) that I can study. In the absence of such a description, it is clear that there cannot exist any comprehensive security design. I was also very careful to emphasize the "yet" part. It is possible (even likely) that your design will come to be written down in time and the security design will emerge from that. I look forward to that very much. I made no mention of "formal" anything. I accept that you have a different view of what security policies are important. I may not agree with your view, but that does not mean that your goals are invalid. The problem right now is that I don't understand your system and I therefore cannot understand if *any* security policies can be enforced in your system. It is surprisingly easy to design a system in which security enforcement is impossible. The overwhelming majority of current general-purpose operating systems fall into this category. When someone (you, but also anyone else) proposes a new OS structure, I am therefore very skeptical that it will turn out to be securable in any sense at all. This skepticism is very well motivated by history. What I say above is simply that no capture of your overall design exists *today*, and so we cannot *yet* understand (and I claim that *you* cannot yet understand either) what the implications of your design will turn out to be. > > I completely support Marcus in his view that the "transparent memory" > > proposal is worth exploring, but in my opinion it would be irresponsible > > to design this assumption into a widely deployed system until its > > implications are more fully understood. My concern is that I do not see > > the necessary design work occurring that would determine that. This may > > be simply because that discussion is not occurring here. > > Jonathan, I couldn't have said it any better, but for the system > design you propose to be widely deployed, and referring to its social, > policital and economic implications as well as technical ones. There is significant merit to this part of your response. The difference between our positions (as I see it) is this: My design is compatible with the current trend of legal and social opinion concerning intellectual property. To the extent that this is true, it fits directly into the current political environment and economic framework. However, it also seeks to restore to the user a balance of power by ensuring that end users can apply all of the same tools that content providers can. Your design proposes to undermine and attempt to redefine both the current political and the current economic framework. It seeks reversal, not balance. I do not assert that either view is "better". Each view, in my opinion, has significant merits, risks, benefits, and costs. > However, please note > that virtually all systems widely deployed today do have "transparent > memory", do you know any exceptions? The overwhelming majority of systems deployed today do not. I refer, of course, to set-top boxes, game machines, music players, refrigerators, disk drive controllers, and so forth. shap -- Jonathan S. Shapiro, Ph.D. Managing Director The EROS Group, LLC +1 443 927 1719 x5100 _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
