User:Mstone/Rainflow: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 1: | Line 1: | ||
== Introduction == |
|||
⚫ | |||
Software which cannot function in isolation exposes users to contingent hazards because users cannot perfectly distinguish benign from malicious software. |
|||
: ''When should our software automatically do risky thing X?'' |
|||
My goal is to define a family of decentralized [http://eprint.iacr.org/2007/399.pdf ceremonies] for use by authors, distributors, and consumers of software who wish to deal in evidence of software benignity. |
|||
⚫ | |||
: ''Suppose that we have mechanically acquired a program that purports to be Terminal-31 and that tells us that it is intended to be run de-isolated. Should we discard it, install it, or dialogue with the user?'' |
|||
== Background == |
== Background == |
||
Line 21: | Line 27: | ||
This proposal offers some new details for adventurous devil-spotters to peruse. |
This proposal offers some new details for adventurous devil-spotters to peruse. |
||
== |
== Framework == |
||
In order to answer the question as posed, we need two things: policy and evidence. |
|||
(a.k.a. the evil bit), no care for canonical formats or strict conformance with draft SPKI grammar: |
|||
By ''policy'', I mean a labeling of all possible action according to whether and how they should involve user interaction or whether and when they should be performed automatically. |
|||
I think we need this sort of policy to accommodate users whose needs vary, over both time and setting. |
|||
By ''evidence'', I mean roughly the information that decision-makers consume in order to reach good decisions. |
|||
== Idea Dump == |
|||
Policy seems like it can start off small -- just a pair of switches: |
|||
* a risk switch with two positions -- "I've got nothing to protect" and "I've got something to protect." |
|||
* an interaction switch with two positions -- "I never want to hear from you" and "I always want to hear from you." |
|||
Evidence should arise in the following way: |
|||
# People who want to create evidence about a ''subject'' should participate in a shared ''Witness activity''. |
|||
# Within that activity, they should generate a ''position'' about their subject. |
|||
# All available witnesses should collectively certify the ''affidavit'' (i.e. the position, its consensus set, and the set of remaining witnesses) with a multisignature. |
|||
: ''(NB: It seems reasonable to talk about an overarching relation among positions, consensus-sets, witness sets, and verifiers of same. I don't have a strong position yet on whether affidavits are precisely rows of |
|||
this relation or whether they might be more complicated subsets of it.)'' |
|||
== Exploratory Implementation == |
|||
For the purposes of exploration, and with no care for proper use of cryptography, we might take positions to be "the evil bit", e.g.: |
|||
My position on Terminal-31: |
My position on Terminal-31: |
||
Line 32: | Line 63: | ||
good. |
good. |
||
My |
My consensus set: |
||
⚫ | |||
27A9023A3642A3638EF67511B6D5DCC8E1D5034E Michael Stone |
|||
My position's attestation graph: |
|||
⚫ | |||
My witness set: |
|||
hash("9876FEDC"). |
|||
attests(michael,"{A1235}"). |
|||
27A9023A3642A3638EF67511B6D5DCC8E1D5034E Michael Stone |
|||
... |
Revision as of 21:06, 30 May 2009
Introduction
Software which cannot function in isolation exposes users to contingent hazards because users cannot perfectly distinguish benign from malicious software.
My goal is to define a family of decentralized ceremonies for use by authors, distributors, and consumers of software who wish to deal in evidence of software benignity.
Therefore, (while on the tradition of naming software via puns), I'll lay down some thoughts on how to act in the scenario:
- Suppose that we have mechanically acquired a program that purports to be Terminal-31 and that tells us that it is intended to be run de-isolated. Should we discard it, install it, or dialogue with the user?
Background
People in the OLPC community have been concerned with this question (and with variants and related questions) for some time:
- <trac>5657</trac>, on spoofing-resistant update algorithms for de-isolated activities
- questions on activity signing and update thread
- activity semantics conversation
- runtime build customization thread and <trac>6432</trac>
- user-created activities and updates thread
- horizontal distribution thread
- homunq's ideas on bundles and updates
Most likely, others have shared analogous concerns in their environments:
- citations needed
This proposal offers some new details for adventurous devil-spotters to peruse.
Framework
In order to answer the question as posed, we need two things: policy and evidence.
By policy, I mean a labeling of all possible action according to whether and how they should involve user interaction or whether and when they should be performed automatically.
I think we need this sort of policy to accommodate users whose needs vary, over both time and setting.
By evidence, I mean roughly the information that decision-makers consume in order to reach good decisions.
Idea Dump
Policy seems like it can start off small -- just a pair of switches:
- a risk switch with two positions -- "I've got nothing to protect" and "I've got something to protect."
- an interaction switch with two positions -- "I never want to hear from you" and "I always want to hear from you."
Evidence should arise in the following way:
- People who want to create evidence about a subject should participate in a shared Witness activity.
- Within that activity, they should generate a position about their subject.
- All available witnesses should collectively certify the affidavit (i.e. the position, its consensus set, and the set of remaining witnesses) with a multisignature.
- (NB: It seems reasonable to talk about an overarching relation among positions, consensus-sets, witness sets, and verifiers of same. I don't have a strong position yet on whether affidavits are precisely rows of
this relation or whether they might be more complicated subsets of it.)
Exploratory Implementation
For the purposes of exploration, and with no care for proper use of cryptography, we might take positions to be "the evil bit", e.g.:
My position on Terminal-31:
hash("ABCD0123"). name("Terminal"). version("31"). good.
My consensus set:
27A9023A3642A3638EF67511B6D5DCC8E1D5034E Michael Stone ...
My witness set:
27A9023A3642A3638EF67511B6D5DCC8E1D5034E Michael Stone ...