|
From: | ness |
Subject: | Re: The Perils of Pluggability |
Date: | Mon, 10 Oct 2005 21:40:40 +0200 |
User-agent: | Mozilla Thunderbird 1.0.6 (X11/20050813) |
Jonathan S. Shapiro wrote:
On Mon, 2005-10-10 at 13:38 +0200, Alfred M. Szmidt wrote: In some cases this is true. In some cases it is probably less true than we would like to believeSo: plugability is good, and necessary, but there are places where it is a very bad idea, and the proc server is a good example of where it is bad. I strongly disagree, me running my own proc server will not affect anyone, unless they say that they trust my proc server. And I cannot tell the other user to trust it.The problem isn't really trusting your proc server. The problem is that any time I call a process *created* by your proc server I am trusting your proc server, and this means that I have to authenticate the process abstraction itself before I can call anything.
Why do I have to trust the proc server if I want to call a process? But more in general: what you say might be true. You maybye will sometimes not be able to do sth. as you don't trust a component. That's acceptable. But most often (always?) programs don't have to care about, as such operations will simply fail (imagine e.g. 2 processes usin' different auth servers)
All of these authentications are certainly possible, but in practice they are too hard a burden and programmers do not do them. Let me back up: what functionality is provided by instantiating a new proc server? Perhaps there is a design that can achieve this securely. shap
-- -ness- -- -ness-
[Prev in Thread] | Current Thread | [Next in Thread] |