1
0
forked from cheng/wallet
wallet/docs/network_operating_system.html
2022-02-18 13:33:27 +10:00

145 lines
8.8 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style>
body {
max-width: 30em;
margin-left: 2em;
}
p.center {text-align:center;}
</style><title>Network Operating System</title>
</head>
<body>
<p><a href="./index.html"> To Home page</a> </p>
<h1>Network Operating System</h1>
<p>The network should be stupid, and the applications smart as argued in the
1984 paper <a href="http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.txt">End-to-End
Arguments in System Design</a> by Reed, Saltzer, and Clark.</p>
<p>The question then, is how do applications find each other and talk
securely to each other?</p>
<p>End-to-end as an ideal in network design has come under attack from
network suppliers.</p>
<p>to paraphrase Trotsky, the endpoints may not be interested in the middle,
but the middle is interested in the endpoints.</p>
<p>Providing optimized service, providing degraded service (for example to
collect rents to restore service to normal levels), and surveillance are
all reasons for the network to take an active interest in what its
endpoints are doing.</p>
<p>The solution is end to end encryption at the packet level, encryption on
top of udp, with reliable encrypted transport on top of unreliable
encrypted transport rather than SSL on top of TCP but, as experience has
proven, end to end encryption does not work with unique true names, which
is what DNS was designed to support. Need Zookos triangle in place of
DNS, rather than on top of DNS, so that you find the network address of an
entity from the hash of the rule that its public key satisfies.</p>
<p>In other words, for the end points to enforce the end to end ideal a
whole new infrastructure on top of UDP and in place of TCP, DNS, and CAs
is needed.</p>
<h2>Solution</h2>
<p>Build a crypto currency with the equivalent of namecoin built in.</
<p>Link in the </p>
<p><br/>
</p>
<p><br/>
</p>
<p>Naming system follows Zookos triangle. </p>
<p>Because humans cannot themselves perform cryptographic operations, nor
remember public keys as names of entities, the user interface becomes part
of the security problem.&nbsp; It is typically the unsecured part of a
secured channel, the weak link in the chain.</p>
<p> Thus a security proposal needs to be described with a description
centered on its user interface and perceived behavior.&nbsp; The security
behavior should reflect the user interface it should behave as the user
expects.</p>
<p> Many of our security problems arise because the email interface is
inconsistent with its actual security properties:&nbsp; An email that
appears to come from Bank Alice does not necessarily come from Bank Alice.</p>
<p> Thus general security requires a secure name system, Zookos triangle,
which requires not just a bunch of cryptographic algorithms, but a bunch
of tools for managing and sharing information about names requires a
whole lot of secure user interface.</p>
<p> Your browser bookmark list, and your various contacts lists <i>almost</i>
support Zookos triangle, and <i>almost</i> have Zooko like behavior, but
have various small subtle deviations in their behavior that make them not
quite suitable.</p>
<p> This is in part because they were built without concern for security,
and in part because they are built on top of a system that is wildly
different from Zookos triangle.</p>
<p> In a system based on Zookos triangle, you would not have DNS, for DNS
exists to render true names for network addresses humanly memorable, and
in Zookos triangle, true names for network addresses are not humanly
memorable.&nbsp; Thus building a Zooko system on top of the existing
system turns out to be problematic, even though in practice DNS urls are
seldom all that humanly memorable, so that actual usage and actual user
interfaces have become Zooko like, it insecurely maps non unique human
memorable names to unique, non human memorable, insecure names.&nbsp; A
secure naming system would securely map non unique human memorable names
to unique non human memorable cryptographically secure names.</p>
<p> DNS requires a center, since the supply of human memorable true names is
limited, and therefore true names have to have a price.&nbsp;&nbsp; This
center leads to no end of security problems.&nbsp;&nbsp; A system in which
true names are or contain hashes of rules identifying public key chains
can be centerless, and therefore end to end.</p>
<p>Globally unique names for mutable items are a public key plus some
network hinting non human readable information, plus non human readable
distinguishing information for all the many mutable items associated with
a single public key.&nbsp; Immutable items are a hash plus some network
hinting non human readable information. .</p>
<p>These get converted into a network address and shared secrets.&nbsp; The
conversion process should support NAT penetration.&nbsp; The network
address and shared secrets constitute a connection, which may then, for
some objects, get converted into a local copy of the object. </p>
<p>At this point protocol negotiation occurs, in which the protocol is
identified absolutely, and in a duck type sense.&nbsp; (You dont want to
make a connection that is then going to crash for failure of <a href="./duck_typing.html">duck
typing</a> you want such failure to occur immediately, where it will
give a version error, rather than in the middle of the interaction, where
it will give an obscure <a href="./duck_typing.html">duck type</a>
error.&nbsp; Remember, end users, not programmers, will be making
connections, thus the flexibility of <a href="./duck_typing.html">duck
typing</a>, which causes much grief for programmers, would cause
intolerable grief for end users. </p>
<p>Since we automatically have end to end encryption, we can transmit
capabilities, including capabilities with monetary value.&nbsp;</p>
<p>Capabilities with monetary value are a low level concept, a software
primitive that all applications can easily and routinely use.&nbsp; A bank
account is a swiss numbered account, and all you need to “open” an account
is to invent a public key, private key pair.&nbsp; </p>
<p>Everything in the system is an object, in the sense of uniting data and
code, and exposing some interfaces&nbsp;</p>
<p>The code that implements those interfaces is downloaded with the data -
but, as with Caja, it is limited by the capability discipline so that it
cannot take over your computer.&nbsp; It can only do stuff through
capabilities you pass in, or that it brings with it.&nbsp; It does not
have access to the rest of your computer, except through such capabilities
as you pass in, as in Caja.&nbsp;</p>
<p>Every object can be inspected by other objects, in that other objects can
see its methods and the argument types that its methods require, as in the
Go languages duck typing.&nbsp;</p>
<p>With some objects, you can interact with them over the network, passing
them object identifiers as arguments, with other objects, you download a
local copy, and with some objects, you can do either one and it is
optimized on the fly.&nbsp; The distinction is translucent, but not
transparent. </p>
<p>The most trivial objects, and one of the most common arguments, is an
immutable string or number, which can be represented by its hash, but for
small strings, is usually identified by the string itself.&nbsp;&nbsp;
However, if what you are passing is, for example, access to a routine that
makes available resources on another computer, a high level object, duck
typing means that it is known to be a high level object, not a string that
the program applies ad hoc code to to turn into a high level object.&nbsp;
If it is an object of the wrong type, duck typing will generate a
relatively meaningful error message.</p>
<p>Objects interact by message, rather than by call every object has a
message pump.&nbsp; If you want to have call semantics, have to
laboriously put in Send message, handle reply.<br/>
</p>
<p>&nbsp;</p>
<p style="background-color : #ccffcc; font-size:80%">These documents are
licensed under the <a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/">Creative
Commons
Attribution-Share Alike 3.0 License</a></p>
</body>
</html>