Re: Restricted storage

[Bas Wijnen]

On Mon, May 29, 2006 at 03:15:15PM -0400, Jonathan S. Shapiro wrote:
> > > There is one very important point though.  I think those restrictions
> > > can easily be implemented in the user session.  This means that we can
> > > just build a system with no support for restricted storage, and add it
> > > if we find that we did need it after all.  However, Jonathan doesn't
> > > seem to agree.  At the moment I still think he doesn't quite understand
> > > what I mean.  However, if he does and is correct that it cannot be added
> > > later, we would need to decide this before building the system.
> > 
> > Oh, and I forgot one thing.  I'm very sure that I do indeed want the user
> > to be able to run his own programs on fully opaque storage.  This is very
> > useful for programs handling encryption keys....
> 
> I seem to recall that this was one of the very first use cases that I
> pointed out.

You did, but you said it was something that required a constructor, which is
not the case.  It requires opaque storage.  However, it does not need
verification of the opaqueness.  Without verification, it is not possible for
a user to demand of an other user to provide opaque storage for a program
(such as your constructor would do by default), because there is no no way
that it can check if the storage it received is indeed opaque.

Which, IIRC, is what I replied back then as well (in different words, because
I hadn't thought as much about it).

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature