Nomen Nescio <nobody@dizum.com> writes:

I don't see how this is going to work. The concept seems to assume that there is a distinction between "trusted" and "untrusted" programs. But in the NGSCB architecture, Nexus Computing Agents (NCAs) can be written by anyone. If you've loaded a Trojan application onto your machine, it can create an NCA, which would presumably be eligible to put up a "trusted" window.

So either you have to configure a different list of doggie names for every NCA (one for your banking program, one for Media Player, one for each online game you play, etc.), or else each NCA gets access to your Secret Master List of Doggie Names. The first possibility is unmanageable and the second means that the trustedness of the window is meaningless.

Maybe MS will implement something like the secure attention key in the old VAX A1 VMM (Ctrl-Alt-Del already serves this purpose for logins) which gives you a guaranteed non-spoofed interface to the kernel (see for example "A Retrospective on the VAX VMM Security Kernel" by Karger et al for more information on this). They certainly have the VMS knowhow :-). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com