Pesto: A Persistent Private Storage System

We can say that a personal computer is one that is available to the user when he wants to use it, while a private computer is one that is never available to others. We use the term private computing to describe the computational model which involves small, private, hand-held computers, i.e. Personal Digital Assistants (pdas). In general, a pda offers its user relatively few resources; a low-bandwidth user-interface, (relatively) low computational power, and highly variable communication resources. However, the pda excels in two aspect: Trust and Availability. A pda that is carried by its owner has great potential to be his private computer, an attractive sanctuary for private data and computations (such as creating digital signatures). Availability means that the pda can be used in new settings, but availability also means physical control over the device. Physical control is a prerequisite for secure operation of almost any device. With trust in the private computer itself in place, the challenge of private computing is to use a pda as solid ground from where to extend a user’s sphere of control to distributed and less-trusted resources he cares to use in a variety of different settings. The trend towards mobile computing adds the requirement that users should be able to roam between many different environments. Independent of what administrative domain they roam into, they want access to their personal resources while using resources available in that domain. As a general rule, we can say that policies, mechanisms and resources are different in each environment and system, and a lot of machinery between systems is necessary in order to maintain and achieve important nonfunctional aspects like security and safety across systems. However, creating this machinery is often impossible because policies and available mechanisms in the different domains are too diverse. We believe that ubiquitous computing requires a platform for distributed systems and applications that makes no assumptions on the environment the user currently is in. There are basically two possible ways to support private computing. One can either build all the required machinery into the applications, or one can provide the applications with an underlying infrastructure. The latter approach leaves