[The following is excerpted from RISKS digest. I have sent mail to Valente asking him to be more specific about what kind(s) of encryption they use for their authentication routines. I am slighly worried by the somewhat naive statments in this posting. --AW] Date: 17 Jan 1994 20:09:29 -0800 From: "Luis Valente" <luis_valente@genmagic.genmagic.com> Subject: Safety in Telescript Phil Agre's message of January 6th ("Wild agents in Telescript?") brings up some very good points. In this message I would like to describe some of the safety features of Telescript that are used to prevent both ill-intentioned scripts (e.g., worms, viruses) and buggy scripts from damaging a Telescripted network. 1) The Telescript language is interpreted, rather than compiled. Thus, Telescript programs cannot directly manipulate the memory, file system or other resources of the computers on which they execute. 2) Every Telescript agent (i.e, Telescript program that can move around a Telescript network) is uniquely identified by a telename. A telename consists of two components: an authority which identifies the "owner" of the agent (e.g., the Personal Communicator from which it originated) and an identity which distinguishes that agent from any other agent of the same authority. The authority component is cryptographically generated and cannot be forged. Thus, when an agent is transferred from one Telescript engine to another, it is possible to verify (using cryptographic techniques) that the agent is indeed of the authority it claims to represent. (N.B.: a Telescript engine is a program capable of interpreting and executing Telescript programs). 3) Every Telescript agent has a permit which limits its capabilities. Permits can be used to protect users from misprogrammed agents (e.g., an agent that would otherwise "run away" and consume resources for which the user would have to pay) and to protect Telescript service providers from malicious agents. Two kinds of capabilities are granted an agent by its permit. The first kind is the right to use a certain Telescript instruction, e.g., the right to create clones of itself. The second is the right to use a particular Telescript resource and by which amount. For example, an agent is granted a maximum lifetime, a maximum size and a maximum overall expenditure of resources (called the agent's allowance), measured in teleclicks. An agent's permit is imposed when the agent is first created and is renegotiated whenever that agent travels to an engine controlled by a different administrative authority. If the agent exceeds any of its quantitative limits, it is immediately destroyed by the Telescript engine where it is executing. 4) Telescript agents move around a Telescript network by going from one Telescript place to another. Telescript provides an instruction -- go -- that gives agents this travelling capability (if granted by their permit, of course). Places are Telescript programs in their own right. Before accepting an incoming agent, a place can examine the agent's telename, permit and class (N.B.: an agent represents an instance of a Telescript class; thus, the class of the agent represents the "program" that the agent executes. Like authority names, class names cannot be forged). Based on that information, the place can do any the following: a) Do not allow the agent to enter. b) Allow the agent to enter but only after imposing upon it a permit more restrictive than the one it currently holds (e.g., the agent is only allowed to consume 100 teleclicks while in this place). c) Allow the agent to enter and execute under its current permit. 5) When a Telescript process (agent or place) interacts with another Telescript process, the telename and class of the former is available to the latter. This enables Telescript applications to control who can interact with them and in what ways. I hope this (brief) description of some of the more pertinent security features of Telescript will help Risks readers understand how we've addressed the issues raised in the NYT article and in Phil's message. -Luis Valente, General Magic, Inc. ------------------------------