Hi all,

If you ask me(I know you didn't), I think the paper is a little too
pessimistic.

Going to a conference like that with all these issues that mostly build
up on a incomplete/problematic spec of P_IDENT...I don't know..
Although it's of course the right approach to assume the worst when the
product is shipping while the security spec and implementation is not
finished..


Anyway. I wrote up some more detailed comments, but it doesn't really
make sense to speculate on plans and implementations. So the main
points of the paper, I think, that need to be adressed, are:

o reduce trust into backup servers
Don't publish prv keys of created identities at all. Instead:
- one could trust the server to do encryption as it sees fit
- the client can optionally password-protect the backup
- data gets a salted HMAC, not a signature
- the data is transmitted on a channel with mutual auth+enc

o useful P_IDENT
Obviously, not everything can and be signed+encrypted(think http).
A useful approach may be to
- allow every app to use protected channels, e.g. by asking a key
negotiation service to create ephermal strong enc+auth keys.(eg IKE)
- support authentication via key continuity management
- have a seperate sign() capability for apps that want to sign
documents(e.g. homework), with optional pw-protection

This will of course allow impersonation of users if someone else uses
their laptop, but this is a very obvious concept that kids will
understand. They will also understand that a Password may help here.

o explicit support for anonymity+privacy
If the above issues are solved, anon+priv are not *that* much of a
problem. But still, I like idea of explicity supporting privacy in
local and global communication. This heavily depends on the appl.
protocols, the easiest solution would probably be to just install a
tor client that can be activated on demand. This may be a problem
for governments that would otherwise like to buy the laptop, so it
should probably be optional.


The very first issue of the paper is the very rough specification. If
you would give more details on how you plan to do things, eg showing
real protocol details, referring to existing standards etc, it would be
much easier to comment, suggest and implement. Or maybe I just missed
the wiki page or IRC channel where this is done?


Best regards,
Steffen

. . .
. . .

I am not very familiar with the details of Bitfrost's spec,
but--IMO, FWIW--some comments about the paper as a paper. If
this isn't appropriate or isn't helpful, please tell me to
keep quiet.

There are more exclamation points than one might want to see
in a USENIX paper. There are some phrasings which seem a
little like emotional overemphasis. Eg section 2.1's actual
"too young to read", versus something like "unable to read"
which would direct attention to users' real life situations
and the limitations which OLPC is trying to help lessen.
Eg section 2.2's actual "poor management practices", versus
something like "low budget". Eg that same section's lack of
recognition for the current-best-effort status of Bitfrost
and of deployments, as well as for OLPC's explicit consideration
of the problem of how to upgrade deployed units. Wouldn't one
usual response to supposedly flawed open-source work be to
ask how to help, rather than suggest it is not "Open"? There
is no expressed awareness of the usual contest between delaying
for a "final" specification versus accomplishing a needed task
*now*. (Who's the LISP guy who wrote the paper something like
"Perfect is the Enemy of Good Enough"?)

The paper says Bitfrost's threat model is "inappropriate",
but offers no explicit alternative. The paper seems to
give much of its attention to concerns about protecting
users' presumed tendency to use their laptops to criticize,
especially to criticize social elements which are powerful
enough to access user keys and restrict laptop use.

The paper has little discussion of the OLPC use model,
including considering education (and security policy
appropriate for that) versus wider social uses (and
security policy appropriate for them). (By "education"
here I am not excluding non-institutional life
experiences.) Compare section 3.2's actual "Subjecting
children to constant surveillance", versus something
like "Not perfectly prohibiting surveillance".

The paper's consideration of Piaget was interesting, and
the mention of Acquisti & Gross useful. I suggest that
Erikson may have been more culturally bound to his own
time and place. In any case, there is no consideration of
the relative significance of the XO experience versus the
significance of a child's other experiences. Who raises
the children, who "has the last say"? Their parents and
local others, or computer people in the distant, developed,
industrialized world?

I'm certainly in agreement with the aim of maximizing OLPC
security, but do feel the paper could have been more effective.

HTH. Cheers.