From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ian Grant Newsgroups: gmane.comp.gnu.lightning.general,gmane.lisp.guile.devel Subject: Re: GNU Thunder Date: Mon, 8 Sep 2014 21:00:30 -0400 Message-ID: References: <87iokzefgv.fsf@taylan.uni.cx> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3598427814340786183==" X-Trace: ger.gmane.org 1410224450 21176 80.91.229.3 (9 Sep 2014 01:00:50 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 9 Sep 2014 01:00:50 +0000 (UTC) To: "Taylan Ulrich Bayirli/Kammer" , guile-devel-mXXj517/zsQ@public.gmane.org, lightning , schellr-EkmVulN54Sk@public.gmane.org, Richard Stallman , Theo deRaadt , Linus Torvalds , Markus Kuhn Original-X-From: lightning-bounces+gcglg-lightning=m.gmane.org-mXXj517/zsQ@public.gmane.org Tue Sep 09 03:00:44 2014 Return-path: Envelope-to: gcglg-lightning@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XR9nY-0005BX-DL for gcglg-lightning@m.gmane.org; Tue, 09 Sep 2014 03:00:44 +0200 Original-Received: from localhost ([::1]:46419 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XR9nX-0007lO-Hf for gcglg-lightning@m.gmane.org; Mon, 08 Sep 2014 21:00:43 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46352) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XR9nR-0007kt-Bo for lightning-mXXj517/zsQ@public.gmane.org; Mon, 08 Sep 2014 21:00:38 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XR9nN-0002LB-M6 for lightning-mXXj517/zsQ@public.gmane.org; Mon, 08 Sep 2014 21:00:37 -0400 Original-Received: from mail-wi0-x230.google.com ([2a00:1450:400c:c05::230]:35920) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XR9nM-0002Kv-SP; Mon, 08 Sep 2014 21:00:33 -0400 Original-Received: by mail-wi0-f176.google.com with SMTP id bs8so3578394wib.15 for ; Mon, 08 Sep 2014 18:00:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ogaru1muUUiTmqiLliQqhr88egUpDOvsPaT4MtGEqTo=; b=oP2qyX/OsVKIff25h4ZB+s+QulvLUhmU9RKzc82bW+C4RYE9ykrS4Et9K++UZrpPUL EpLY/NZvuO3+wI7XQpoqx/X9d3iTmRsUgkllgsKV0RGgan3DT83xBTBV3fKAaAliQnIm 69KucxamvAESJlQur1C1v960JxGwstXMgz4tN2Meu3m7LhBan0d0zt4nm4zIX3d4l7iG m3qBMKUOkyuKYq38yKwxSVxMShHAyh5RKUiiGRP3xBUCtxWk/DeyvsjkM8PVYgCcygUv AWNl6U9WHqG2Zu0pyRwuKJJ8BnBH3kJYNTyMYuOnh1KH7Z19w6c5I3i1HWsA77PVHdqu ldfw== X-Received: by 10.194.94.165 with SMTP id dd5mr37972286wjb.75.1410224430412; Mon, 08 Sep 2014 18:00:30 -0700 (PDT) Original-Received: by 10.194.219.234 with HTTP; Mon, 8 Sep 2014 18:00:30 -0700 (PDT) In-Reply-To: <87iokzefgv.fsf-uVHYNzLEwI3da1iInxiBqA@public.gmane.org> X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:400c:c05::230 X-BeenThere: lightning-mXXj517/zsQ@public.gmane.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lightning-bounces+gcglg-lightning=m.gmane.org-mXXj517/zsQ@public.gmane.org Original-Sender: lightning-bounces+gcglg-lightning=m.gmane.org-mXXj517/zsQ@public.gmane.org Xref: news.gmane.org gmane.comp.gnu.lightning.general:582 gmane.lisp.guile.devel:17431 Archived-At: --===============3598427814340786183== Content-Type: multipart/alternative; boundary=047d7bb043463a7e3605029776ef --047d7bb043463a7e3605029776ef Content-Type: text/plain; charset=UTF-8 On Sun, Sep 7, 2014 at 9:18 AM, Taylan Ulrich Bayirli/Kammer < taylanbayirli-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > Also, since we define a simple semantics for which a new evaluator could > be implemented at any time in any language, it becomes ever more and > more implausible that *all* tools everywhere have been previously > "patched" to infect all the evaluators being implemented or > automatically generated in all kinds of different environments. > Dear Taylan, Thank you. Yours is a concise and accurate statement of what I am proposing. If I had been able to write something that clear then I doubt there would have been any misunderstanding between Richard and I. What I mean by a semantic fixed point is a fixed point of the _actual_ semantics, not the syntactic forms of the textual representations such as appear on a terminal window or in a text file dump. So we are going to do this under the assumption that the systems we are using _are in fact compromised._ One obvious consequence of this is that the assurance we obtain is always in the form of actual knowledge. So if, say, the debian build team get together and go through such a validation exercise, then they can state they have done this, and document and explain the results on a web page, but this will not give anyone apart from them the knowledge of the security of the debian build process, because the build team may have been infiltrated. But if another team of system administrators at a university, say, were to repeat the debian exercise, using a different implementation of the reference compiler, one they created themselves, on systems that were isolated as far as they could determine, and perhaps whilst wearing tin-foil hats as William recommends, then they would know they shared that knowledge with the debian team. But no-one else would have good reason to believe that what _they_ downloaded from the debian mirrors was actually the real deal. So what we will be publishing is not a certificate of security, it is a method of _actually knowing_ that the system is _very probably_ secure. So it is extremely important that we explain very, very clearly what this form of a trusted computing platform really is. Thank you for your clarification. And please post any further thoughts you might have to this thread. Ian --047d7bb043463a7e3605029776ef Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Sun, Sep 7, 2014 at 9:18 AM, Taylan Ulrich Bayirli/Kamm= er <taylanbayirli-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
Also, since we define a simple semantics for which a new evaluator could be implemented at any time in any language, it becomes ever more and
more implausible that *all* tools everywhere have been previously
"patched" to infect all the evaluators being implemented or
automatically generated in all kinds of different environments.

Dear Taylan,

Thank you. Yours is= a concise and accurate statement of what I am proposing. If I had been abl= e to write something that clear then I doubt there would have been any misu= nderstanding between Richard and I.

What I mean by a sema= ntic fixed point is a fixed point of the _actual_ semantics, not the syntac= tic forms of the textual representations such as appear on a terminal windo= w or in a text file dump. So we are going to do this under the assumption t= hat the systems we are using _are in fact compromised._

O= ne obvious consequence of this is that the assurance we obtain is always in= the form of actual knowledge. So if, say, the debian build team get togeth= er and go through such a validation exercise, then they can state they have= done this, and document and explain the results on a web page, but this wi= ll not give anyone apart from them the knowledge of the security of the deb= ian build process, because the build team may have been infiltrated. But if= another team of system administrators at a university, say, were to repeat= the debian exercise, using a different implementation of the reference com= piler, one they created themselves, on systems that were isolated as far as= they could determine, and perhaps whilst wearing tin-foil hats as William = recommends, then they would know they shared that knowledge with the debian= team. But no-one else would have good reason to believe that what _they_ d= ownloaded from the debian mirrors was actually the real deal. So what we wi= ll be publishing is not a certificate of security, it is a method of _actua= lly knowing_ that the system is _very probably_ secure. So it is extremely = important that we explain very, very clearly what this form of a trusted co= mputing platform really is.

Thank you for your clarificat= ion. And please post any further thoughts you might have to this thread.
Ian

--047d7bb043463a7e3605029776ef-- --===============3598427814340786183== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Lightning mailing list Lightning-mXXj517/zsQ@public.gmane.org https://lists.gnu.org/mailman/listinfo/lightning --===============3598427814340786183==--