Michael Turyn: "whatever we do which might displease the government or a real or fictive person with power is almost certainly being done at the same time by a lot of other people." That's only a statistical comfort, of course. But then most comfort probably is. (Who designed this place, anyway?) Andrew A. Gill:
if anyone knows of a good combined worldview that satisfies both, I'd love to hear about it.
s/hear about it/torture you until you let me patent it/
Never! I patent things only in self-defense. *8) I'd prefer you shouted it from the rooftops, so no one could patent it... Andy Latto: "Instead, your HTML repair and rendering engine should be on top, and the security layer should be underneath. When the rendering engine determines that the HTML, as repaired, instructs it to delete a file, it calls delete-a-file-if-security-permits, and *then* the security layer gets involved, deciding whether that particular file system operation (or network operation, or whatever) should be permitted at that time." That would be ideal. Unfortunately on many boxes it's not practical to slip the security layer in under the rendering layer, because the rendering layer is in the operating system (and the security layer is either above that for practical reasons, or in a separate box entirely). But when you can do it, it's great. How many operating systems (not counting the JVM as an operating system) have access controls based on the network address / email address / PGP credentials of the (effective) originator of the request? There are a few places where security models do allow for that. The JVM is one (to an extent). The Execution Control Lists in Lotus Notes are another (you can tell Notes who you trust to execute what classes of function, and then email from untrusted people that contains scripts to format your hard disk won't work), and I think the signed macros in recent (after I stopped paying close attention) versions of Microsoft Office are another. Things like ZoneAlarm and Norton Whatever do a sideways version of this, by granting network access using the identity of the program that's asking as the effective 'identity' (this has some interesting properties). It'd be cool (if maybe expensive performance-wise?) if some widespread OS had a sufficiently rich notion of requestor identity (beyond "people with accounts on this box") to do it down at the filesystem / memory-access / etc level. Some Linux version? (All Unix machines everywhere, using a facility that I am temporarily ignorant of? BeOS?) DC -----------------------------------------------------------