|
From: | Daniel Carrera |
Subject: | Re: [Monotone-devel] Monotone Security |
Date: | Thu, 16 Oct 2008 21:12:35 +0200 |
User-agent: | Thunderbird 2.0.0.17 (Macintosh/20080914) |
Zack Weinberg wrote:
I used the terms "sender" and "recipient" deliberately; as Ethan says downthread, the server itself is not a trusted entity in this architecture. Or, more precisely, security decisions are intended to be made at checkout time, not at propagation time.
Ok. But as I just said to Ethan, I was thinking about one specific threat. In that page I wrote I mention other threats where the server is the bad guy (sender).
Your example about the BSDs was interesting though. I had not thought of a scenario like that, where the server is actually /supposed/ to have untrusted code (e.g. FreeBSD code which is untrusted by OpenBSD).
Make more sense now?
I think we are on the same wavelength. You gave a good example where the security check really belongs at checkout time and not at propagation time. Please keep in mind that I was thinking about one specific attack. I was not intending to speak in the abstract.
Daniel.
[Prev in Thread] | Current Thread | [Next in Thread] |