Re: Design principles and ethics (was Re: Execute without read (was [...]))

[Jonathan S. Shapiro]

On Sun, 2006-04-30 at 03:52 +0200, Bas Wijnen wrote:
> > What Marcus describes is a situation where (a) the parent establishes
> > the authorized channels and (b) the parent can spy on the child's state.
> > The second provision violates the requirement for intent.
> 
> Huh?  Why can't the child intend to transmit if it was started by the parent?

You have it backwards. The correct question is:

  Does the mere fact that the child was instantiated by the parent
  imply that the child consents to disclose state to the parent?

> We are talking here about things like browser plugins.

You were, but my comment is in the broader context of a debate about
confinement. It is not limited to subordinate subsystems. These are a
useful special case, but not instructive for purposes of the broader
debate.

> > So: what Marcus calls "trivial confinement" is not confinement at all. I
> > do not agree with what he proposes, but the policy that he proposes is
> > not morally wrong. I *do* object very strongly to calling it
> > confinement, because it is not confinement. What Marcus actually
> > proposes is hierarchical exposure.
> 
> That too, but that's not the reason it's confinement.  It's confinement
> because the child process cannot communicate with anyone, except with explicit
> permission of the parent (in the form of a capability transfer).

It is also not confinement if the parent can read the child without the
consent of the child. Therefore it is not confinement at all.

> > Marcus proposes that any "parent" should have intrinsic access to the
> > state of its "children". This property is necessarily recursive. It
> > follows that the system administrator has universal access to all user
> > state, and that "safe" backups are impossible.
> 
> Nonsense.  As you said yourself a few months ago, the administrator might not
> have the right to touch everything.

In the purely hierarchical model that Marcus proposes, this property is
not achieved. That is the problem that I am objecting to.

> > Further, it follows the cryptography is impractical, because there exists no
> > location on the machine where a cryptographic key can be stored without
> > exposure to the administrator.
> > 
> > That is: in Marcus's proposal, there is no possibility of privacy.
> 
> I believe I have disproven that statement.

Sorry. You have not.

> > > My position on the confined constructor design pattern, ie non-trivial
> > > confinement, is NOT that "it supports DRM, therefore it should be
> > > banned".  My position on the confined constructor pattern is: "I have
> > > looked at ALL use cases that people[*] suggest for it, and find all of
> > > them either morally objectionable, or, in the context of the Hurd,
> > > replacable by other mechanisms which don't require it." 
> > 
> > Excellent. Please propose an alternative mechanism -- ANY alternative
> > mechanism -- in which it is possible for a user to store cryptography
> > keys without fear of exposure. If we can solve this, then I am prepared
> > to concede that we can store private data in general.
> 
> In general, keep the chain of parents short and trusted.

Since all processes are (ultimately) in some chain derived from
processes that the administrator controls, no privacy against the
administrator is possible.

> > We are discussing a very important, foundational point. I believe that
> > this debate should be public, that it should be uncompromising, and that
> > it should evolve over time. Your ideas are incomplete. So are mine. Let
> > us start a Wiki page for this discussion that will allow us to evolve
> > it. Such decisions NEED the light of day.
> 
> Personally, I prefer the mailing list for discussions.  It would be a very
> good idea if the resulting conclusions are archived in a better way than
> "somewhere in the list archives".  For that a wiki is useful.  But I wouldn't
> want to need to poll web pages in order to see if someone said something.

Yes. But the result needs to be edited and maintained as well.

> > If I have a right to choice, it is a right to *stupid* choice.
> 
> Choice is not a right in all situations.

I agree. However, choice is a right in all situations where no
*overwhelming* third party harm can be shown to the satisfaction of the
consensus of the society.

> > You propose to solve *your* long-term social objectives by undermining the
> > social process of consensus.
> 
> What consensus?

Yes. That is the point. In the absence of social consensus it is immoral
to impose *any* dogma on society in the absence of demonstrated harm to
third parties.

> > If there is a better definition of evil, I do not know it.
> 
> I do.  Evil is when a person acts in a way that is against his or her own
> moral values.

No. This is the second type of evil. The first type is when a person
acts in a way that imposes their values on others without sufficient
evidence of universal merit.

shap