[2821] in WWW Security List Archive
Applet security (was Re: ActiveX security hole reported).
daemon@ATHENA.MIT.EDU (Michael Burati)
Tue Aug 27 17:28:45 1996
Date: Tue, 27 Aug 1996 15:50:25 -0400
To: "David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu
From: Michael Burati <burati@apollo.hp.com>
Errors-To: owner-www-security@ns2.rutgers.edu
At 11:54 AM 8/21/96 EDT, David M. Chess wrote:
>Well, here's one rather obvious scenario:
>
> - Java gets signature-authentication (as promised),
>
> - All major browsers add an option to discard any
> objects (applets, ActiveX controls, and so on)
> that are not signed by a registered-as-trusted
> party,
>...
> - therefore the only objects that anyone will
> realistically be able to use over the open Web
> will be objects produced and signed by parties
> that are in everyone's trust-database. We can
> speculate who that might be, but the makers of
> browsers and operating systems seem like very
> likely candidates, since systems can ship with
> their public keys pre-installed! *8)
The above is too binary for me (either I trust everything that's signed or
not). What I really want is authorization based on who signed the applet
or by anything signed by a particular CA. Any unsigned applet should be
relegated to working within the limited sandbox given to it by the browser.
I would then allow local filesystem access to applets signed by FOO, or by
users-with-certs-from-CAxxx, and/or allow remote network connections by
applets signed by FU and/or by users-with-certs-fromCAyyy&zzz...
Until then, how can I possibly trust automatically-loaded/run downloadable code?
I may trust one person signed by a particular CA to write applets that I'll
run outside of a sandbox, but not everyone that this particular CA trusts...
I haven't had time to keep up with what's being done in this area, so if some-
one is already working on the above (fine grain authz, not just signing) I'd
like to hear about it...
..Mike
