[1626] in WWW Security List Archive
Re: Java "security holes'
daemon@ATHENA.MIT.EDU (David M. Chess)
Wed Mar 13 17:10:11 1996
Date: Wed, 13 Mar 96 14:08:13 EST
From: "David M. Chess" <chess@watson.ibm.com>
To: www-security@ns2.rutgers.edu
cc: mrm@doppio.Eng.Sun.COM
Errors-To: owner-www-security@ns2.rutgers.edu
> It's hard to argue with this statement:
>
> A security model should list all the things that are officially
> part of the security model.
Yeah, the great advantage of tautologies is that you don't
have to lie awake at night wondering if they're really true... *8)
> I was just trying to say that it's unlikely anyone knows 100% of all
> security-related things in a system.
Complete agreement. One of the (many) nice things about a
documented security model is that you have a list that
*claims* to be a complete statement of the security
characteristics of the system, so people working to improve
it have something concrete to start from.
Thanks again for the quick and cogent answers; nice to see
this being worked on and talked about.
DC
