[tahoe-dev] [tahoe-lafs] #995: It's way too easy to give away write directory caps

[James A. Donald]

On 3/15/2010 4:33 AM, tahoe-lafs wrote
 >  I've just been looking at the implementation of Toby's
 >  [http://allmydata.org/pipermail/tahoe-dev/2010-March/004137.html
 >  Tahoe Explorer]. It seems very well-written and quite suitable to
 >  be included in Tahoe proper, so that we could adapt it to be a more
 >  secure replacement for the existing WUI.

It is obvious that capabilities need a capability explorer.

It has long been demonstrated that people cannot think both of
security requirements, and the task at hand, therefore expecting
people to use some non capability tool to manage capabilities in a
secure manner is not going to work.  The tool has to invisibly address
security requirements without ordinarily requiring any extra clicks.

The task at hand is doing stuff, security requirements are stopping
people from doing stuff.  Further, there is a long long list of
dangerous actions to be avoided, to which no one is likely to pay
attention.

Cryptographers, among them myself, have a bad habit of dumping low
level cryptographic tools on end users, with the result that the user
has fifty seven ways of doing something, of which seventeen are
obviously insecure, twenty six are subtly insecure, and fourteen are
secure.  The user looks at the instructions and warnings, which merge
together in a great gray blur, and never uses the tool.

The tools need to be pre-assembled and complete so that there is one
simple and obvious way to do something, and it is the secure way.