[2830] in WWW Security List Archive
Re: Applet security (was Re: ActiveX security hole reported).
daemon@ATHENA.MIT.EDU (David M. Chess)
Wed Aug 28 16:16:19 1996
Date: Wed, 28 Aug 96 14:12:57 EDT
From: "David M. Chess" <CHESS@watson.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> From: Mary Ellen Zurko <zurko@osf.org>
> One problem is that unlike traditional server side authorization,
> which could be assumed to be implemented by a small number of security
> administrators, client-side authorization involves every user.
> So the traditional usability problems get even more acute, while the
> range of actions and resources needing authorizations is even more
> diverse.
That, IMHO, is one of the most important questions. Can strong
flexible security be made trivial-to-use enough that actual
end users (i.e. people who use computers in order to accomplish
some *non-computer-related* goal) will be able to use it, will
choose to use it, will manage to use it correctly, and will be
trusted by their management to use it in the workplace? Or,
alternately, easy-to-use enough that system administrators
will in fact be able to administrate it on behalf of their
users, while still having enough power and flexibility to
make it ("it" being mobile / downloaded / itinerant code)
interesting.
I think it's a challenge, and that the problem will continue
to be an inhibitor on lots of kinds of web (and active mail,
and etc) activity for longer than we'd all like.
- -- -
David M. Chess | "Shh... We is seein' who kin
High Integrity Computing Lab | dream 'bout the biggest cat-fish."
IBM Watson Research | -- P. Pine
