Many of you are probably aware of the document on the wiki, "Correlating Bitfrost and Threats", attributed to Marc Stiegler. <a href="http://wiki.laptop.org/go/Correlating_Bitfrost_and_Threats">http://wiki.laptop.org/go/Correlating_Bitfrost_and_Threats
</a> . Still, browsing the archive for this mailing list, I do not see that this document has been discussed. So I'm writing this message to make sure all of the list subscribers have had a chance to read it. A quick "yeah, we've seen it, looks mostly [good/bad/indifferent]" would be fine as a reply, but substantive discussion should go on the talk page of that page, or be integrated into a new version of the bitfrost spec.
<br><br>Here's a copy of the executive summary:<br><br><p>Shortly after the page <a href="http://wiki.laptop.org/go/Threats_and_Mitigation" title="Threats and Mitigation">Threats and Mitigation</a> (hereafter referred to as "T&M") was posted on the OLPC wiki, the
<a href="http://wiki.laptop.org/go/Bitfrost" title="Bitfrost">Bitfrost</a>
specification for the OLPC security architecture was published. Those
two documents developed independently. Unsurprisingly, they are only
weakly correlated. This document, written by the author of T&M,
attempts to correlate the security with the threat.
</p><p>The conclusions are as follows: the Bitfrost architecture is
both stronger and easier to use than the traditional model of security.
It exceeds in many ways both expectations and hopes of the author of
T&M. However, Bitfrost only weakly addresses the two threats
considered, in T&M, to be the greatest risks. These risks are, the
use of the nigerian hoax for fraud, and the transformation of olpc
computers into spambots by use of email and chat attachments. Key
recommendations include:
</p>
<ul><li> The installation of applications under Bitfrost should be
tweaked so that, in addition to asking the application for a list of
requested endowments, the user is asked what kind of application is
being installed ("category-based installation"). The installation
endowment becomes the intersection of those endowments requested, and
those endowments appropriate for the application type. </li></ul>
<ul><li> A computer-based training system that makes olpc owners
resistant to nigerian hoaxes should be explicitly included in the
security specification.
</li></ul>
<ul><li> The Bitfrost mechanism for updating firmware should be given a
detailed end-to-end security review to ensure attackers cannot breach
the system and render olpc computers unrecoverable. </li></ul>
<ul><li> Resources for these additional development efforts can be
acquired by postponing development of the centralized "anti-theft" user
identification system and the centralized backup system until a later
release. </li></ul>
<dl><dd><ul><li> If olpc is unable to abandon these centralized
systems, decentralized architectures are proposed that achieve the same
goals while reducing single point of failure risk and privacy risk.
</li></ul>
</dd></dl>...end of quote<br><br>Personally, I think that point 4(a) is far more realistic than point 4. Otherwise, I agree with the document. Either way, it deserves wider discussion. Go comment on the talk page.<br><br>