Advertisement

Proxy Trust

Bob Scheifler: The second ramification of dynamically downloaded code is the question of proxy trust. I have this downloaded code for the proxy, and I talk to you, the service, through that code. Somehow I decide to trust that code to do the right thing. For a simple example, say I download a proxy for you from somewhere, and I want to make a call through that proxy. I want to tell it, "Make sure the other end authenticates as Bill Venners." How do I know the proxy isn't simply going to lie and say, "Oh, yeah, sure, Bill's at the other end"? When I say, "Please transfer a hundred dollars," how do I know it won't say, "Oh, yeah, I transferred it," but transfer a thousand dollars instead?

Once I dynamically download code, and I perform any operation that has any sensitivity or liability—anything in the real world—I will be concerned whether I actually trust that code. Do I trust the proxy to carry out my requests and operate as I expect it to operate? We have to explicitly decide we trust the proxy in order to use it.