There’s this fantasy that applications will someday be able to identify themselves. That is, they will be able to act as a “principal”, just like you or me. This doesn't make sense.
In reality, applications are agents; agents of a real user. That is, applications (aka. code) acts because a user told it to. If this was not universally true, then someone has figured out true AI (artificial intelligence) and the landscape of computer systems as we know it is forever changed. I’ve been watching the 5 O’clock news. There haven’t been any major breakthroughs in AI lately. Until that day, software is simply an agent of a user, period.
Some people think that if only you could identify the app, then you cold hold the app-writer accountable and therefore hold harmless the user who unwittingly invoked the app.
But wait a second, how dumb could a crook be to let you know who he is? Let’s say he writes this awesome worm that completely messes with everything in your system. Is he going to sign the app as “Crook”? Is he going to place a return address on his app? “Here, I’m at 1111 Stupid Lane, come and get me!” Absolutely not! Hackers have always focused on those vulnerabilities which leave no trace back to them. That’s just common sense.
Let’s say you’re a good company, conscientious in every way. What’s the first thing you’re going to place on your license agreement? I’m no lawyer, but I expect it will read something like “XXX corporation is not responsible for any damages the user might encounter while using this software…” etc. etc. etc.
Now back to application IDs. I’m not saying that signing software isn’t a good idea. On the contrary! More and more applications are being delivered online. Signing the application manifest including a digest of all binaries is just common sense. But remember the disclaimer. The signatures are just there to enable you to 1) make an informed decision about whether the package you got came from who you thought it did and 2) that any attempt to modify the application in transit can and will be detected. You can also use the manifest to ensure that the application remains unchanged over time.
What I object to is the notion that an application can act on its own. I object to the notion that an app can authenticate to a remote party. This makes no sense. On the other hand, if the user (eg. person) wants to cough up the manifest associated with the application he’s running, that’s certainly his prerogative. In fact, a relying party may require this. However, the trust, the liability, the responsibility is on the user to ensure that A) his system is functioning within parameters, B) the application he’s running is the one he wants and C) the actions taken on his behalf by the application are ultimately his responsibility.
Won’t this mean that users will be held accountable for stuff they have no control over? No. They can always choose not to run a piece of software, not to use a computer, or to use a different operating system. In fact, because software runs under the context of the user and the user most likely has the potential to do whatever it wants with the software, this actually creates a completely new problem. What’s to prevent a malicious user from intentionally modifying the software in such a way as to damage the reputation of the software publisher, or even to hold the software publisher accountable for actions taken with that software?
In short, applications are not principals. They do not act on their own. Software publishers are not responsible for the actions taken by a user. Users must always be held accountable for the actions they take, no matter the agent. Let’s make operating systems and software that enable users to make informed decisions about which agents to invoke, and allow them to control the rights and privileges afforded to the agent. This makes sense.
Posted
Dec 13 2005, 08:36 PM
by
doug-walter