[1603] in WWW Security List Archive
Re: Java "security holes'
daemon@ATHENA.MIT.EDU (Marianne Mueller)
Mon Mar 11 15:21:24 1996
Date: Mon, 11 Mar 1996 08:58:08 -0800
From: mrm@doppio.Eng.Sun.COM (Marianne Mueller)
To: ekr@terisa.com, dhudes@panix.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
We're working on adding a signed class loader to the system, to allow
for the scenario where some authenticated class can be allowed more
functionality.
The hard part is the policy, that is, once you have an applet that you
*know* comes from Walmart, so what? Does that mean you allow that
applet to make connections to other Walmart applets, or does that mean
you allow that applet to access the Walmart shopping cart which is
implemented as a file on the client file system?
(I just made up those two examples so please don't take them as some
sort of statement about how we want to do things ...)
Marianne
JavaSoft
mrm@eng.sun.com
