- From: Steven D. Majewski <sdm7g@virginia.edu>
- Date: Thu, 9 Mar 1995 15:39:34 -0500 (EST)
- To: Rick Troth <TROTH@ua1vm.ua.edu>
- Cc: Multiple recipients of list <www-talk@www10.w3.org>, agents@sun.com
On Thu, 9 Mar 1995, Rick Troth wrote: > This may have been mentioned before, but it would seem that > most of the "is this operation okay?" could be bypassed if the script > were signed electronically ... something that you could trust. No? Authentication is necessary but not sufficient. ( I trust my mother, but I still cut the cards! :-) Recall that the Morris Internet Worm would have been benign and hardly noticed if it hadn't been for a bug in the code that caused it to replicate faster and use more resources than it was supposed to, thus bringing a great many machines to their knees. So, for example, you might allow some classes of users/sources a less restricted environment than others. ( For example: people trying out a free demo, vs. fully paid up customers. ) but you would still not want their careless bugs to have some fatal effect. For client-side-agents, privacy is probably the main concern. Even when you know the source, you want to ensure that their agents can do only what they are allowed to do. ( For example, perhaps you might not want it collecting marketing information about you while it's doing some other visible operation that you actually requested. ) As Nathaniel has noted before - that doesn't require an interactive user confirmantion if you set up the rules before hand. What I would propose is that, as in TeleScript, there be some sort of negotiation over a "ticket" before a script is accepted. One of the things that ticket could state is (roughly) what resources the script will require. ( Max CPU ticks, write access to temp or permanent files, read access to files, etc. as well as billing information ( "This agent is not authorized to run up more than $10 in charges." ) and perhaps language, required standard-libraries or classes, etc. ). The "ticket" protocol is used to decide whether to accept the script. It's up to facilities in the "safe" language to ensure that the script keeps that contract. [ BTW: Does anyone know how CORBA handles authentication ? Does it have any sort of "ticket" negotiation ? ] > Personally, I'm a fan of Tcl, but I loathe exclusionism > (having been on the excluded end enough times). I certainly think we can cooperate on building an *architecture* before we start fighting about a language. ( And judgeing from past flame-wars, once we start fighting about "The" language, it's going to get ugly. Also - to be honest - I think once we DO have a better idea of demands and requirements, I suspect that we'll find that neither Tcl nor Python nor Scheme ( certainly not, as they are currently ) are quite capable of what we want to do, and we'll take what we've learned from these experiments and design something from the ground up. Maybe it will be a higher level virtual machine, and thus leave the syntax wars out of it. ) ---| Steven D. Majewski (804-982-0831) <sdm7g@Virginia.EDU> |--- ---| Computer Systems Engineer University of Virginia |--- ---| Department of Molecular Physiology and Biological Physics |--- ---| Box 449 Health Science Center Charlottesville,VA 22908 |---
Received on Thursday, 9 March 1995 15:40:22 UTC