[1252] in WWW Security List Archive
RE:
daemon@ATHENA.MIT.EDU (Thomas Reardon)
Sat Dec 16 00:42:41 1995
From: Thomas Reardon <thomasre@microsoft.com>
To: "c.flink@att.com" <c.flink@att.com>,
"www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>,
"Daniel A. Turner"
<tcg@us.net>
Date: Fri, 15 Dec 1995 18:54:22 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
David, you are radically rewriting what was said at the conference, and what
we've said in other forums.
Microsoft is investing in code signing, and we are building facilities into
Windows to support signature verification. Microsoft will NOT be THE
signing authority. Microsoft will NOT make $ from code signing. We are
providing an infrastructure that third-parties can leverage, including
third-party certificate authorities.
Microsoft will not "will know every single thing you do ". This is absurd
on the face of it. Listen and review what was said, and stop trying to
incite riots around non-issues.
This is goodness for everyone. We started this process because we wanted to
let users verify OLE Controls and Windows device-drivers. We realized since
that its important for Java applets as well, for any sufficiently rich
applet will want access to system services that are not necessarily 'safe'.
The initiative we announced includes proposals that we will submit to IETF a
nd possibly W3C *before* implementing.
-Thomas Reardon
Microsoft
----------
From: Daniel A. Turner[SMTP:tcg@us.net]
Sent: Friday, December 15, 1995 3:58 PM
To: c.flink@att.com; www-security@ns2.rutgers.edu
Subject: Re:
(Pre-Note: I got this information verbally. I have no written documentation
on it at all. None. Zilch. If I'm wrong, sorry. But I believe I'm right (of
course).)
At the WWW conference in Boston (4th Int'l Conference), Microsoft announced
(I believe they may have announced it prior to this conference, but *I*
hadn't heard about it) that they will be "authenticating" Java scripts with
some kind of "seal of approval". The idea is that they'll guarantee (for a
certain sum of $) that the script has passed all virus checks,
damage-to-whatever checks, etc. available at the time of approval. This may
solve the problem of accountability -- Microsoft will be accepting the
liability for suit based on a particular script.
Of course, this also means, in the future, that (since Microsoft will be the
first to make a site of this nature, and will naturally have the most $ to
back up their claim of reliability) if we do go to a machine which is based
entirely on Java, Microsoft will know every single thing you do -- imagine:
You download your word processor program. The browser sees that Microsoft
has "verified" this program and asks Microsoft to validate a checksum of
some kind. Microsoft now knows who you are (or at least where you are) and
what program you're running. Gee, how convenient ;)
As with any situation involving CA's, the solution is to have lots of CA's,
which creates problems of its own.
Just some thoughts and reports on the state of the universe.
later
DAT
>More importantly, users WON'T turn off Java. Animation and "cool
>graphics" are all part of the WWW addiction. The answer is not
>going to be found in telling users "don't do anything risky". We
>need to engineer systems that help assure accountability. We then
>need laws that hold people accountable. (I'm thinking of the
>digital signatures on Telescript scripts that (theoretically) ID
>the source (and verify the integrity) of the script. The script
>won't run unless verified and the source identified as trustworthy.
>Then, of course, the laws come into effect.... if the Trojan Horse
>was planted in such a way that the "source" didn't realize what
>was being "signed".... and who decides what "trustworthy" means....
>and who can sue who for how much.... and this requires a lot of
>legal groundwork that has yet to be started.)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| Daniel A. Turner President, Turner Consulting Group |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| 2830 Calvert Street, N.W., Suite 2000; Washington, D.C. 20008 |
| Computer jacks-of-all-trades, specializing in Internet/WWW apps. |
| 202-986-5533(V) 202-986-5532(F) tcg@us.net(E) |
+++++++++++++++++++++++++++++++++++++++++++++++"Yes, it can be done"++
