- From: James A. Donald <jamesd@echeque.com>
- Date: Tue, 18 Jul 2006 08:24:35 +1000
- To: public-usable-authentication@w3.org
--
Bjoern Hoehrmann wrote:
> As you seem to accept that local files are not made
> available to arbitrary web sites [by successful cross
> site scripting attacks], why would it not be possible
> to apply the same protection to any other bit of
> information you would like to protect?
This is, of course, the principle of least authority -
that not only should programs be given only that
authority necessary, they should be designed so that
they only require very little authority to carry out
their tasks.
To implement least authority, we find that certain key
subtasks have to be separated out, and given to more
highly trusted code. The less trusted code should only
be permitted to access potentially dangerous
capabilities through the restrictive API provided by the
more trusted code - the less trusted code is sandboxed
by the API. The intent is to ensure that we only have a
reasonably small amount of highly trusted code, rather
than having to trust a vast amount of software from
innumerable diverse sources.
Creating logons, and logging in, would seem to be
something that should only be done by highly trusted
code. Logging in should be outside the sandbox - which
is perhaps what Microsoft is doing with Infocard. Also,
writing or reading to arbitrary parts of the screen
should be outside the sandbox.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
zFgzH7ylxQzc9a4L8z8+IKsBrAKb0S3RQlmBiX15
4y7jLzNcdPQuFhqbt2C+jz1M0lHCbrxKVVNYWYplJ
Received on Monday, 17 July 2006 22:24:38 UTC