[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-devel] Re: Security is hard. Let's work on policy branches any
From: |
Bruce Stephens |
Subject: |
[Monotone-devel] Re: Security is hard. Let's work on policy branches anyway. |
Date: |
Wed, 11 Apr 2007 21:51:09 +0100 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.0.95 (gnu/linux) |
"Nathaniel J. Smith" <address@hidden> writes:
[...]
> So suppose that we want to determine whether some merge node R is
> trusted. What we can do is take the certs that claim it should be
> trusted, and walk over the graph checking for each node whether that
> particular node likes this cert, i.e., mapping our function over the
> DAG. This generates a new DAG in which all the values are simple
> binary scalars. I suggest that _this_ is the right DAG to calculate
> the meaning of "merge(S, T)", in the definition of inherent trust.
>
> For instance, in the examples from Problem 3, we are interested in
> whether c1 should be trusted:
>
> +ab +abc
> / \ / \
> +c/ \ / \-c
> / \ / \
> a1 b1 a1 b1
> \ / \ /
> \ /+c \ /+c
> \ / \ /
> c1 c1
>
> In the left case, the c1 cert looks good according to a1, only, so we
> get a binary graph (using "+" for "trusted" and "-" for "not trusted")
> like:
> -
> / \
> + -
> \ /
> ?
> Clearly this merges to "+", i.e., c1 trusted.
>
> In the right case, the c1 certs look good according to a1 and the
> root, but not b1. So we get a binary graph like:
> +
> / \
> + -
> \ /
> ?
> Clearly this merges to "-", i.e., c1 untrusted.
Why is that clear?
Are you using *-merge here? I'm quite willing to believe *-merge
defines all these cases coherently; I just have the impression you're
assuming something somehow more primitive?
[...]
- [Monotone-devel] Re: Security is hard. Let's work on policy branches anyway.,
Bruce Stephens <=