Skip to content

grammar and trusting providers #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
drbruced12 merged 2 commits into from
Aug 26, 2025
Merged

grammar and trusting providers #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed699a2
grammar and trusting providers
drbruced12 Aug 26, 2025
4a65aa3
wording tweak
drbruced12 Aug 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion intro.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ focuses on network security, a reasonable starting point is to trust
the hardware/software on the systems you control, and to assume all
other systems you interact with are untrustworthy. But this definition
is problematic in a service-based environment like today's Internet,
where we end up also putting some amount of trust in the network
where we often end up putting some trust in the network
providers we connect to, and the cloud services we depend upon. In
many respects, identifying a TCB that meets our needs is an important
part of what makes security so challenging.
Expand Down
12 changes: 8 additions & 4 deletions principles.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,8 @@ to mitigate such attacks.

.. sidebar:: Picking Your Battles

*Chapter 1 talked about trust and threats being two sides of the
same coin, but another way of thinking about it that every secure
*In Chapter 1 we talked about trust and threats being two sides of the
same coin, but another way to frame the discussion is that every secure
system design starts with two lists: (1) those elements you trust,
and so can build upon; and (2) those elements you do not trust, and
so must treat as a threat that you defend against. But this is no
Expand All @@ -91,7 +91,7 @@ to mitigate such attacks.
*One way in which security is unique is that over time you may
discover that you need to move items from the first list to the
second list, as new threats emerge. To reduce this possibility, it
is best to keep the first list as minimal as possible. On the other
is best to keep the first list as small as possible. On the other
hand, if you choose to trust nothing, you may end up "boiling the
ocean" (i.e., having to solve so many problems that you are unable
to make any progress). Every system must pick its battles.*
Expand All @@ -100,7 +100,11 @@ to mitigate such attacks.
starts with a list of trusted elements that includes commodity
servers and L2/L3 switches, and ignores (i.e., declares
out-of-scope) all the vulnerabilities those elements face and the
countermeasures that go into securing them.*
countermeasures that go into securing them. Of course, as soon as
those elements are located outside our control, e.g., in some
remote service provider's network, we have to assume that they
are untrustworthy devices capable of snooping on, modifying or
diverting traffic.*

As a consequence of these three main requirements—confidentiality,
integrity, and availability—additional requirements are placed on the
Expand Down