At present, we’re in a bizarre situation where an email attachment is, in effect, given authority over your machine equal to your own; this is, historically, a result of the obsolete assumption that any software you run is your chosen tool, serving your purpose. This makes perimeter security brittle.

A modern approach would give executing software access only to the resources that it needs to perform its function. At a fine grain, this can be done through an especially clean implementation of encapsulated objects, with distinct object references to a file (for example) granting read access and write access, etc., to that file. The present system, in effect, grants general access to the file system together with a request to the program that it operate (only) on the file that you designate. This approach is termed “object capabilities”, an idea that has recently been making progress in the world of software engineering.

It’s good to see ongoing efforts to roll out concepts developed at PARC (I have a few in the queue…), and Content-Centric Networking is an extraordinarily valuable and important objective. This functionality — which would free the identity of content from ties to its storage location — was part of what we envisioned when I was involved in hypertext publishing development in the late 1980s, before the world was flooded by the churning sea of the WWW.

This concept is at a level of depth and generality comparable to Wulf’s proposal, and is largely orthogonal (and as is often true in architecting computational systems, “orthogonal” means “synergistic”).

It is of course true that crypto has been available for a long time; his concern, however isn’t secrecy, but authentication. What we don’t yet have is a simple, universal protocol for authentication that is as unspecialized, low-level, and universal as TCP/IP is for transmission.

As Wulf notes regarding the range of security policies that a mechanism of this kind could support, “an application can use any computable function to decide whether or not to provide its service to a client if it can be absolutely certain who is requesting it (emphasis added). This addresses a very different problem. It would use “public key cryptographic protocols”, but not necessarily for cryptography.

It is of course true that no proposal can solve all problems in an area as broad and amorphous as “secure computation”, but it is also true that fundamental changes in infrastructure can solve more problems than any 10,000 patches (of patches (of patches…)).

I think we need what Wulf advocates, and I think we need more.

Most data is stolen while at rest. Many (but not all and perhaps not even most) attacks result because we cannot build bug free software, nor even specify the security properties that the software we build ought to have.

Software engineering is no engineering at all but merely informal craftmanship. Until software construction becomes a rigorous discipline, that rests upon the same applied mathematical foundations as other engineering disciplines, I don’t hold much hope for this situation to change.