RE: Hypothetical design question

[ljknews <ljknews () mac com>]

At 1:11 PM +1030 1/28/04, Nick Lothian wrote:
> > In other words, could an email client be designed and 
> > implemented that would 
> > satisfy both the users and the security requirements?  Or, is 
> > the problem too 
> > difficult without sacrificing some functionality?
>
> I think the problem is too difficult.
>
> Given the email infrastructure we have at the moment, I think the only way
> to make a secure email client it to make one that only renders plain text,
> and strips all attachments.

That describes my normal email client (but not the one I use for mailing
lists).

> In dream mode, though: One hypothetical idea is to have some kind of
> persistent codebase on all attachments received. The operating system would
> then need to enforce permission checks based on this codebase (that could
> get pretty tricky - what happens when an attached word document is opened -
> How does the OS decide what calls are being done by the program, and what is
> being done by the document?). 

In general (not email) security discussions, a strong solution is to
use operating system Mandatory Access Control to prevent users from
executing any software not provided by the system manager.

That may be too restrictive for those who read this list, but it would
be just fine for a great many "computer users".