1. 6

  2. 4

    Along those lines, though I guess it’s a little more worse is better flavored, end to end allows you some flexibility in dealing with errors. Imagine the perfect hard drive. You store a file, it gives you back the file as stored. One day there’s a bad sector. Now the drive, incapable of returning the file as stored, returns nothing. You lose everything. You can’t ask for the uncorrupted parts of the file, because that’s not part of the contract. The drive gives you whole perfect files or it gives you nothing. On the other hand, if the endpoint, the application, is responsible for deciding what to do with as much of a file as it’s possible to read, you have some data recovery options.

    In the crypto security space, this has some interesting implications. A message fails to decrypt. A web site fails to verify. What options do you provide the user to bypass verification? Actually, end to end, in the form of end to end encrypted messaging, really brings this to the forefront. Most users are not up to the challenge of “proper” key management. Pushing that responsibility all the way to the end is a serious UX hurdle to overcome.

    1. 3

      The end-to-end argument challenges this optimism directly. No matter the sophistication of the underlying building blocks, it argues, we’ll always have to define and enforce the essential correctness properties of our system at the topmost end-to-end layer of design. We can’t trivially derive correctness from the correctness of our subsystems: we must always consider it as an end-to-end property.

      Mathematically, this is completely untrue. Many desirable properties can be specified mathematically, and at least in principle, proven of some system in a proof assistant like Coq or Isabelle or Idris. The reason you can’t compose some correct TCP stack with some correct application-level code which assumes the absence of network partitions and have it be correct, is not because “correctness doesn’t compose”, but because TCP does not and cannot guarantee the absence of network partitions in the first place.