[2826] in WWW Security List Archive
Re: Applet security (was Re: ActiveX security hole reported).
daemon@ATHENA.MIT.EDU (Mary Ellen Zurko)
Wed Aug 28 11:23:17 1996
To: Michael Burati <burati@apollo.hp.com>
cc: "David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu,
zurko@osf.org
In-reply-to: Your message of "Tue, 27 Aug 1996 15:50:25 EDT."
<2.2.32.19960827195025.00acd904@pop-e3>
Date: Wed, 28 Aug 1996 08:52:16 -0400
From: Mary Ellen Zurko <zurko@osf.org>
Errors-To: owner-www-security@ns2.rutgers.edu
> I haven't had time to keep up with what's being done in this area, so if some-
> one is already working on the above (fine grain authz, not just signing) I'd
> like to hear about it...
Lots of people are talking about it. At the W3C, they're proposing a
Digital Signature project, with one part being work on the signature
technology, and one part being work on the policy. They're floating
extending PICS for policy, but I don't see that a language designed for
linear rating scales is a particularly good starting point. They've
also mentioned SDSI, which looks like it has more promise.
Folks at Sun seem to mumble about it occasionally. We'd like to
extend our Adage work (http://www.osf.org/www/adage/) to mobile
code. I'm sure there are lots of others who are thinking about it.
One problem is that unlike traditional server side authorization,
which could be assumed to be implemented by a small number of security
administrators, client-side authorization involves every user.
So the traditional usability problems get even more acute, while the
range of actions and resources needing authorizations is even more
diverse.
Mez
