Return-Path: 
 <river-dev-return-4720-apmail-incubator-river-dev-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-river-dev-archive@minotaur.apache.org
Received: (qmail 10855 invoked from network); 1 Oct 2010 15:52:41 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 1 Oct 2010 15:52:41 -0000
Received: (qmail 98013 invoked by uid 500); 1 Oct 2010 15:52:40 -0000
Delivered-To: apmail-incubator-river-dev-archive@incubator.apache.org
Received: (qmail 97988 invoked by uid 500); 1 Oct 2010 15:52:39 -0000
Mailing-List: contact river-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:river-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:river-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:river-dev@incubator.apache.org>
List-Id: <river-dev.incubator.apache.org>
Reply-To: river-dev@incubator.apache.org
Delivered-To: mailing list river-dev@incubator.apache.org
Received: (qmail 97980 invoked by uid 99); 1 Oct 2010 15:52:38 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Oct 2010 15:52:38 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of
 SRS0=gNoar5=RD=wonderly.org=gregg@yourhostingaccount.com designates
 65.254.253.118 as permitted sender)
Received: from [65.254.253.118] (HELO mailout14.yourhostingaccount.com)
 (65.254.253.118)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Oct 2010 15:52:30 +0000
Received: from mailscan06.yourhostingaccount.com ([10.1.15.6]
 helo=mailscan06.yourhostingaccount.com)
	by mailout14.yourhostingaccount.com with esmtp (Exim)
	id 1P1hu4-00048s-PC
	for river-dev@incubator.apache.org; Fri, 01 Oct 2010 11:52:09 -0400
Received: from impout03.yourhostingaccount.com ([10.1.55.3]
 helo=impout03.yourhostingaccount.com)
	by mailscan06.yourhostingaccount.com with esmtp (Exim)
	id 1P1hu4-0005ip-SC; Fri, 01 Oct 2010 11:52:08 -0400
Received: from authsmtp06.yourhostingaccount.com ([10.1.18.6])
	by impout03.yourhostingaccount.com with NO UCE
	id DTs81f00607rVmq0000000; Fri, 01 Oct 2010 11:52:08 -0400
X-EN-OrigOutIP: 10.1.18.6
X-EN-IMPSID: DTs81f00607rVmq0000000
Received: from ip70-189-103-32.ok.ok.cox.net ([70.189.103.32]
 helo=[192.168.1.109])
	by authsmtp06.yourhostingaccount.com with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim)
	id 1P1hu4-0008CW-25; Fri, 01 Oct 2010 11:52:08 -0400
Message-ID: <4CA603A1.8060105@wonderly.org>
Date: Fri, 01 Oct 2010 10:52:01 -0500
From: Gregg Wonderly <gregg@wonderly.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
 rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: river-dev@incubator.apache.org
CC: Sim IJskes - QCG <sim@qcg.nl>
Subject: Re: Towards Internet Jini Services (trust)
References: <4C9DB5BF.8090307@zeus.net.au>
 <50E73BFB09C740C399530A7042EBDC5E@irt.vein.hu> <4CA313A3.60709@qcg.nl>
 <4CA3A549.3050903@zeus.net.au> <4CA3B37A.5010008@wonderly.org>
 <4CA5AC57.9000100@qcg.nl>
In-Reply-To: <4CA5AC57.9000100@qcg.nl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-EN-UserInfo: 
 5bac21c6012e8295aaee92c67842fba3:d1e94006e19829b2b3cf849ab9ff0f3c
X-EN-AuthUser: greggwon
Sender: Gregg Wonderly <gregg@wonderly.org>
X-EN-OrigIP: 70.189.103.32
X-EN-OrigHost: ip70-189-103-32.ok.ok.cox.net

On 10/1/2010 4:39 AM, Sim IJskes - QCG wrote:
> On 09/29/2010 11:45 PM, Gregg Wonderly wrote:
>> For myself, the primary consideration is whether the arguments in RPC
>> calls are actually "downloaded classes" vs "downloaded data". In the
>> simple sense, "downloaded classes" are "downloaded data".
>
> I agree with you. A downloaded class is a specialization of downloaded data. Or
> maybe even not, but lets not go there.
>
> In general terms, a class has more degrees of freedom than data. Because a class
> is executed by a turing complete state machine and most of the time the machine
> executing data is less complete.

Trust is what I was trying to point at.  People download XML, Javascript on web 
pages, zip archives, executable programs and all kinds of things what at some 
point the data, becomes "the semantic meaning" and gets used by some "machinery" 
to cause action.

There is never validation done about anything more than structure (DtD, schema) 
of things like XML, or "machine magic number" for executables etc.  Only some 
simple evaluation of "will the machine accept this input" is done.

With Jini, people are constantly burdened by the whole idea of "what can we 
trust about this code", or "how can we prove no harm will come".

The answer is that only through exhaustive means can you do that for any 
instance of "the downloaded code", and what httpmd: and other similar things are 
about, is "identifying a version" that has been "evaluated" to be "what you 
expect".

Web sites publishing source code, binary distributions and other things that 
need to be trustworthy, also publish "hashes" of the "contents" to help people 
evaluate that they have "the right stuff".

So, I think we have ample ability to provide people multiple levels of trust 
assertion and trust evaluation already.

The problem is that we really feel like it needs to be "individual permissions" 
because that's the "tightest security model" that we can see and it seems very 
attractive to use it.  In the end, there are places where that is necessary, but 
more often than not, it is a large barrier which makes it very difficult to say 
"I trust the code" trivially.

For example, we don't have mechanisms which would allow a ServiceUI client, to 
"see" a service in the registrar, and only after seeing it and its source, 
signify trust, and then download code.  The original design has always been 
around the concept of "you start the VM with the trust asserted" and then it can 
only do what you've entrusted it with.

We need a lot more dynamics so that we can really see how hard it is to create 
real, working mechanisms for dynamically changing the trust relationships 
between the clients and the services.  And it needs to work remotely so that I 
can tell a service that it can use another service through administrative 
interfaces.

Gregg Wonderly

> My personal view on this matter revolves around the burden it puts on the user.
> When i download code and run its installer, i trust the code to well behave.
> When i run the installer i make one big trust decision. I can audit the files
> installed if i'm really paranoid, or a security researcher. When i run my jini
> application, it connects to some registry, downloads a jar into memory and
> executes it. This jar can be same as yesterday or it might not. I can't tell.
> Does it perform the same function?
>
> The basic components are the same, but i see distinct differences. Do you see
> this agility to take off in a corporate environment?
>
> Gr. Sim
>