Re: Agents

On Thu, 9 Mar 1995, Rick Troth wrote:
 
>         This may have been mentioned before,  but it would seem that
> most of the  "is this operation okay?"  could be bypassed if the script
> were signed electronically ... something that you could trust.   No?
 

Authentication is necessary but not sufficient.
( I trust my mother, but I still cut the cards! :-)
 
Recall that the Morris Internet Worm would have been benign and hardly 
noticed if it hadn't been for a bug in the code that caused it to 
replicate faster and use more resources than it was supposed to, thus
bringing a great many machines to their knees. 

So, for example, you might allow some classes of users/sources a less
restricted environment than others. ( For example: people trying out
a free demo, vs. fully paid up customers. ) but you would still not 
want their careless bugs to have some fatal effect. 

 For client-side-agents, privacy is probably the main concern. Even 
when you know the source, you want to ensure that their agents can 
do only what they are allowed to do. ( For example, perhaps you might
not want it collecting marketing information about you while it's 
doing some other visible operation that you actually requested. ) 

As Nathaniel has noted before - that doesn't require an interactive
user confirmantion if you set up the rules before hand. 

What I would propose is that, as in TeleScript, there be some sort of
negotiation over a "ticket" before a script is accepted. One of the things
that ticket could state is (roughly) what resources the script will 
require. ( Max CPU ticks, write access to temp or permanent files, 
read access to files, etc. as well as billing information ( "This agent
is not authorized to run up more than $10 in charges." ) and perhaps 
language, required standard-libraries or classes, etc. ). The 
"ticket" protocol is used to decide whether to accept the script. It's up to 
facilities in the "safe" language to ensure that the script keeps that contract. 

[ BTW: Does anyone know how CORBA handles authentication ? 
  Does it have any sort of "ticket" negotiation ? ] 


>         Personally,  I'm a fan of Tcl,  but I loathe exclusionism
> (having been on the excluded end enough times).
 
I certainly think we can cooperate on building an *architecture* before 
we start fighting about a language. ( And judgeing from past flame-wars,
once we start fighting about "The" language, it's going to get ugly. Also 
- to be honest - I think once we DO have a better idea of demands and
requirements, I suspect that we'll find that neither Tcl nor Python nor
Scheme ( certainly not, as they are currently ) are quite capable of 
what we want to do, and we'll take what we've learned from these 
experiments and design something from the ground up. Maybe it will be
a higher level virtual machine, and thus leave the syntax wars out 
of it. ) 

---|  Steven D. Majewski   (804-982-0831)  <sdm7g@Virginia.EDU>  |---
---|  Computer Systems Engineer          University of Virginia  |---
---|  Department of Molecular Physiology and Biological Physics  |---
---|  Box 449 Health Science Center    Charlottesville,VA 22908  |---

Received on Thursday, 9 March 1995 15:40:22 UTC