Magma must have security or it will never work directly on the Net. I hope KryptOn will prove a good basis for this, but I have reached a point where detailed choices have me struggling about where to balance transparency and security.
For the most part, I have used the Croquet suggestions for my guide:
http://minnow.cc.gatech.edu/squeak/3770.
But let me draw attention to my specific matter of contention.
"- Security needs to be largely invisible. The Diablo trading system, referred to in earlier email, points the way.."
and,
"I would suggest going with a system that always encrypts automatically to see how you like it. Even if you decide to build in a way to circumvent encryption from the first day, I would urge, on my knees, that sending data unencrypted require an explicit and highly visible coding change such that the default, easiest path to communication is indeed encrypted, and both original programmers and later reviewers can immediately spot digressions from the secure communications. I have a number of tragi-comic stories about people who knew they were using strong encryption ... except they were actually sending cleartext. Perhaps the requirement should be, do not add to the collection of funny stories :-)"
Now, I searched for info about Diablo II's trading system but couldn't find any details; just stuff about the "paladins" and "mages" and stuff.. Anyone know where a good description of their trading system?
Notwithstanding that, I am specifically torn on the idea of "always on" security because, ultimately, requiring the user to say, "useSecurity: false" is where the transparency ends. However maybe not. Maybe the user assumes POLA, since maybe what they expect by transparency is "the computer reasonably takes care of me as best it can even if I all I do is take care of my physical computer.".
To put it in Magma terms..
Every repository created will require Capabilities to access it. Now, if you don't want to deal with security at all, it can put these capabilities in the default directory automatically. This is essentially laying the golden key right on top of the treasure chest, but it seems merely to extend the non-secure area from the confines of the image to the physical computer.
IOW, you could still expose the repository on the net and only you could access it. But to do that you need to remember to bring the Capabilities with you to connect remotely so some awareness of security is required anyway, its not fully transparent.
So lately I'm thinking this attempt to eat my cake and have it too is fruitless. Either the user will have to be somewhat aware of security or there should probably be no security. I need to choose a more definitive philosophy:
always on? default on, allow turning it off? default off, allow turning it on?
Comments or advice greatly appreciated..
- Chris