[OLPC Security] Application bundles and delegation

[Ivan Krstić]

xuan wu wrote:
> That's fine with me, but maybe a system with no "root" control can be
> strange to somebody.

This is not acceptable to OLPC's educational principles. "No lockdown"
is really non-negotiable.

> Tens of thousands of applications may have millions of rules of
> permission request to announce. For example, the application App1 needs
> the "execution" permission to App2, App3, and App4. 

Bitfrost does not, at present, support this type of permission at all.
One bundle cannot execute software in, or read files from, another
bundle. System services can access all the bundles if necessary. Is
there a particular example you're thinking of?

> With the p2p network, there's no need for the database, as the group
> who use the laptops who know each other and have chances to see each
> other from time to time can be the identity database itself.

I don't understand. The reason the data is centralized is because it's
confidential, and you don't want it to be available to everyone. I don't
see how a P2P approach is even applicable to the problem. You can't
really do a threshold scheme, so you'd have to manage the keys for
encrypted replicas or shards centrally, which would re-introduce the
exact same point of failure as before, after increasing complexity and
brittleness several times over.

> Actually I didn't find how to disfunction the laptop after it's lost
> from the spec

Section 8.19.

> and won't it be better to have the ability to recover the
> laptop or trace the man who steal it?

It's trivial to collect trace information for stolen laptops that
connect to the internet, in addition to doing what we're doing already.

Cheers,

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D