% Fate-sharing, end-to-end arguments, and secrecy % Michael Stone % July 12, 2014 [Fate-sharing] is the principle that "it is acceptable to lose the state information associated with an entity if, at the same time, the entity itself is lost." ([interpretation](http://mercury.lcs.mit.edu/~jnc/tech/end_end.html)) [End-to-end arguments] look like this: > The function in question can completely and correctly be > implemented only with the knowledge and help of the application > standing at the end points of the communication system. Therefore, > providing that questioned function as a feature of the > communication system itself is not possible. (Sometimes an incomplete > version of the function provided by the communication system > may be useful as a performance enhancement.) Here is an analogous end-to-end secrecy argument: > The secrecy goal in question can completely and correctly be > achieved only with the knowledge and help of the application > standing at the end points of the communication system. Therefore, > achieving that questioned secrecy goal as a feature of the > communication system itself is not possible. (Sometimes an incomplete > version of the secrecy goal achieved by the communication > system may be useful as a performance enhancement.) What do we think? Should end-to-end arguments and the fate-sharing design principle guide the design of control systems intended to produce secrecy as well as availability? In particular, when planning software deployments, should we think of deploying components to "secrecy zones" dually to how we currently deploy components to "availability zones" to control for common-mode infrastructural failures & hazardous behavior? [Fate-sharing]: http://ccr.sigcomm.org/archive/1995/jan95/ccr-9501-clark.pdf [End-to-end arguments]: http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf