> Because it's possible and will improve security, I think we should > investigate it further, this could allow us to unmarshall the proxy and > determine trust without changing the Jini Service model. There's still > Service UI to consider too, but that happens after determining trust. We > need to be immune to DOS attacks during the period we're trying to determine > trust. >
I don't want to discourage anyone from doing anything, but I find this concerning. To my mind, something should either be 100% secure; like operating systems are (supposed to be), or there should be a clear "download and run at your own risk". Things we pay for (buying stuff off the internet, online banking, hosted services etc) are supposed to be secure and there are clear SLAs describing what happens if it's not. Everything else you download is very much "on your own head, be it". What I'm getting from these recent discussions is broadly this; - "We can protect against this kind of threat, but not that one." - "We can't protect, at all, against this other kind of thread." - "We can mitigate the consequences of this kind of thread." And that's only for the kinds of things we can think of. I agree with Sim on this one, it feels like we're creating a false sense of security. The danger I see in this is that people will either; 1) See our security designs, see that they're incomplete and announce that "River is insecure". 2) See our secuirty designs, miss what they do and do not provide, and announce that "River is bullet-proof". Both of these statements are wrong and both are dangerous. I'm still of the opinion that we can provide secure services through trust (that's a lower-case, none Computer Science "trust") and not through code. If, typically, people get their proxies from some kind of "app store" that they trust, the community can make sure that only trusted services can get onto the "app store". If you want to use a less-known and maybe less trust worthy "app store" then that's up to you. I'm leaning towards programmatic security being an all-or-nothing affair. Since it appears that we can't protect against everything; I'm reminded that we can lock and bolt the door as much as we like, but if we leave our Windows unsecure (ha ha) then the bad guys will still get in. Tom
