Red and Green

Linguaring IEEE Security Domain

Butler Lampson's viewpoint at the US National Science Foundation's 2005 Cyber Trust Meeting this fall.

Security architecture for ordinary computing can be described with two colors red and green.
[This is very like the beginning of firewall, MZ and DMZ; but now you can see firewall is eventually losting this artificial partition. L2-> L3->L4->...L7, firewall is controlling real information.But now I still agree with Butler Lampson's red and green.]
A typical user would have two environments: a red(risky) one, open to the myriad enchantments and attacks of today's internet, and a green(safe) one, which would be much more protected and have limited communication with world.

In the red side, we can do everything we want do; green side our important treasures are working here, we spend our money online, talk with trusted friends.

Red and green are common in military systems, they are easily implemented by two different machines. But for typical user, this is not very easy. Most of the people are not waking up to the risk.

We need not only red and green security model, but even more quantities of models. All these bottles are filled with different security, privacy, encrypted policy, etc. Everyone can select a suitable bottle to live in just as the house we now lived.

Here I think survive model could be more suitable.

Survive model roles:
Surviver
? - Identification
? - Agent, broker
Bottle
? - Risk
? - Internet link
? - Security Policy

surviver is the virtual mirror, bottle contruct a transparent, least open model for surviver to live safely.
this survive model should be easily accouted and usable.

Hope we can find the balance between simplicity and complexity.