I claim the following scenario is technically feasible with the possible exception of tamper proof hardware.
A hardware manufacturer M, is trusted by at least some, and delivers ‘boxes’ and claims that they have the following unalterable properties:
This is highly analogous to the boot process.
The decrypted program finds itself in a state much like the .program of an instance make by the factory.
- There is stored therein a private key that corresponds to this here public key: xxx.
- The use of the private key is limited to the following:
- A file delivered to the box, encrypted by that public key, will be decrypted and instantiated and given a brief amount of run time.
This means that the bits of that file will be placed in a segment which becomes the address space of an ordinary program.
The CPU will be set to executing the instruction at location 0.
- The CPU will have read-write access to the segment.
- No other domain in the box, (except those trusted to administer this contract) will have either read or write access to the memory.
- There will be a C-list the first 12 elements of which are as follows (the short list of foundational facilities)
- Capabilities beyond that may exist as provided by operator O of the box.
If the box maker is honest and competent then the controller of the box is not able to read the program or interfere with its behavior except by interactions of the program via those additional capabilities which the program may, or may not, choose to use.
Any modification of program behavior is under explicit control of the program’s reaction to messages received via those capabilities.
This is tantamount to the apartment with ‘attestation’ included.
The issue of tamper proof hardware largely disappears if O = M.
This is recursive.
It is possible to write a program and encrypt it as above so that it acts as the receptionist of some other class of programs with similar but different protections and opportunities.