security advice

Thu Nov 10 04:42:16 UTC 2005

Magma must have security or it will never work directly on the Net.  I hope
KryptOn will prove a good basis for this, but I have reached a point where
detailed choices have me struggling about where to balance transparency and
security.

For the most part, I have used the Croquet suggestions for my guide:

  http://minnow.cc.gatech.edu/squeak/3770.

But let me draw attention to my specific matter of contention.

"- Security needs to be largely invisible. The Diablo trading system, referred
to in earlier email, points the way.."

and, 

"I would suggest going with a system that always encrypts automatically to see
how you like it. Even if you decide to build in a way to circumvent encryption
from the first day, I would urge, on my knees, that sending data unencrypted
require an explicit and highly visible coding change such that the default,
easiest path to communication is indeed encrypted, and both original
programmers and later reviewers can immediately spot digressions from the
secure communications. I have a number of tragi-comic stories about people who
knew they were using strong encryption ... except they were actually sending
cleartext. Perhaps the requirement should be, do not add to the collection of
funny stories :-)"

Now, I searched for info about Diablo II's trading system but couldn't find any
details; just stuff about the "paladins" and "mages" and stuff..  Anyone know
where a good description of their trading system?

Notwithstanding that, I am specifically torn on the idea of "always on"
security because, ultimately, requiring the user to say, "useSecurity: false"
is where the transparency ends.  However maybe not.  Maybe the user assumes
POLA, since maybe what they expect by transparency is "the computer reasonably
takes care of me as best it can even if I all I do is take care of my physical
computer.".

To put it in Magma terms..

Every repository created will require Capabilities to access it.  Now, if you
don't want to deal with security at all, it can put these capabilities in the
default directory automatically.  This is essentially laying the golden key
right on top of the treasure chest, but it seems merely to extend the
non-secure area from the confines of the image to the physical computer.

IOW, you could still expose the repository on the net and only you could access
it.  But to do that you need to remember to bring the Capabilities with you to
connect remotely so some awareness of security is required anyway, its not
fully transparent.

So lately I'm thinking this attempt to eat my cake and have it too is
fruitless.  Either the user will have to be somewhat aware of security or there
should probably be no security.  I need to choose a more definitive philosophy:

  always on?
  default on, allow turning it off?
  default off, allow turning it on?

Comments or advice greatly appreciated..

 - Chris