> We are finding security to be a real tough nut to crack. In our
> definition, programs can create yet more programs on other machines.
> It's necessary to add mechanisms to keep track of chains of privilege
> and prevent mutations, etc. simply having a "safe" execution
> environment isn't enough if it is possible to establish a collection
> of interacting machines which is not also "safe".
> I suspect before we get into picking a language we really ought to
> cogitate for a while and try to understant how much power we want to
> put into smart documents.
Yes, a very tough nut to crack. I'm glad to hear you say it, actually
-- I spent five years of my life working on this problem, I'm glad to
hear it isn't actually trivial!
I suggest that you might want to read my CSCW 92 paper on the ATOMICMAIL
language. This was a predecessor of Safe-Tcl, now defunct, but was
based on your beloved LISP syntax. You might find some of the security
problems in a safe LISP variant were already addressed in that work.
For my part, spending several years building a safe LISP variant was one
of the things that convinced me that Tcl was a far more appropriate
language model for this sort of thing. -- Nathaniel