RE: Design principles and ethics

[Christopher Nelson]

> > > > If I know that no one can examine AND MODIFY my data, 
> then I can 
> > > > make assumptions regarding the legitimacy of that data.
> > > 
> > > But you do.  We have a protected capability system.  It's 
> your data, 
> > > and you're the only one who has access to it.
> > > This data cannot have been "stolen"
> > > without you (probably by accident) giving away this 
> capability (or 
> > > copying the data to where someone else can read it).
> > 
> > No, you DON'T.  This is my point: because your parent has 
> all rights 
> > to you, you can make no guarantees about your parent, or 
> your parent's 
> > parent.  Which means that you do *not* have any idea about 
> who is in 
> > the communication chain.
> 
> Ah, you're confusing yourself with a process.  The user 
> session is a direct child of the primary space bank.  The 
> system design guarantees that
> - The primary space bank will not disclose its contents
> - The session itself (which is also part of the TCB) will not 
> give out any
>   capabilities to its space bank (but only to newly created 
> subspacebanks).
> The user's shell is a direct child of the session.  No 
> process is going to spy on that shell.  The user interacts 
> with the system through this shell.  There is no danger of spying.

So the basic security argument that is being made is that:

A) There is a set of programs (services) that are under no one's
authority, these constitute the TCB.

B) There is a primordial arena that is opaque to everyone, from whence a
user session is generated.

C) The user has complete control of their own session, which means the
implicit ability to examine and/or change all code and data to which the
session has access.

Is this correct?

-={C}=-