[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Vrs-development] Re: [DotGNU]VRS architecture docs

From: Norbert Bollow
Subject: Re: [Vrs-development] Re: [DotGNU]VRS architecture docs
Date: Tue, 12 Feb 2002 20:00:49 +0100

Bill Lance <address@hidden> wrote:

> I think we are talking about two different things
> here.

Yes, about a practical problem (that makes the system
difficult to debug) and about a security problem.  As
it's so often the case, the harder one tries to make
something secure, the harder it becomes to work with
the system, which again can easily have bad effects on

> One is the writing of Repository data to the
> local host disk.  I don't think we have a problem
> here.  There appears to be some straighforward ways of
> doing this that insures the integrity and privacy of
> the data.  There is overhead and potential network
> lag, but that's a measurable and understood price.  

Please add "debugging inconvenience" to the price tag.
(It's very convenient in debugging if you have the data
on disk in some textual format).

> The real problem is a hostile host root user.

Yes.  This is the very serious problem.  I don't see any way in
which a host could be worthy of more trust than you have for
whoever has root on that host.

> We will probably simply have to assume on untrusted
> nodes coming to the party.  It certainly adds a large
> design burden.  But we are here to understand what
> problems we have to solve, and that appears to be one
> of them.

If we limit the system to dealing in information that does not
need to be kept secret, then every node can have a complete set
of data in unencrypted form, and a complicated transaction
verification protocol is necessary only for changes to the
information.  That sounds difficult but feasible to me.  But if
you want to empower untrusted nodes (which communicate only via
a slow, untrusted network) to act on confidential information in
a way which does not reveal the information to root on those
nodes, then I think that you have a problem that cannot be
solved in a practically acceptable way.

Greetings, Norbert.

A founder of the project and Steering Committee member
Norbert Bollow, Weidlistr.18, CH-8624 Gruet   (near Zurich, Switzerland)
Tel +41 1 972 20 59       Fax +41 1 972 20 69
Your own domain with all your Mailman lists: $15/month

reply via email to

[Prev in Thread] Current Thread [Next in Thread]