Re: Restricted storage

[Bas Wijnen]

On Wed, May 31, 2006 at 06:28:06PM -0400, Jonathan S. Shapiro wrote:
> On Wed, 2006-05-31 at 15:33 -0600, Christopher Nelson wrote:
> > [Bas wrote]
> > > ...because there is no no way that it can check if the storage 
> > > it received is indeed opaque.
> > 
> > What's the point of providing opaque storage to store encryption keys,
> > if you cannot verify (or provide some guarantee) that it is, in fact
> > opaque?  You might as well not have it, because it provides you no
> > conceptual security.  It's not trustable.
> 
> This is entirely correct.

No, it's nonsense.  The program storing the encryption keys doesn't know if
the storage is opaque.  It doesn't care either.  It's the user who cares.  And
it's the user who chooses to use opaque storage (or not).  The user can trust
that the program runs on opaque storage, not because the programmer guarantees
this (by putting a check in the program), but simply by providing opaque
storage to the program.  (Intentional side-effect is that storage which is
given to some other user cannot be checked for opaqueness.  This can be
"fixed", but I'd rather not do that if possible.)

There may be some meta-data suggesting that this program should be run on
opaque storage.  However, it's still the user's choice if opaque storage is
indeed used.  And if not, the program should mind its own business and just
work as if it is running on opaque storage.  Otherwise debugging will be a lot
harder (because you won't actually be debugging the program that's used in
production).

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature