[2845] in WWW Security List Archive
Re: Applet security (was Re: ActiveX security hole reported).
daemon@ATHENA.MIT.EDU (Michael Burati)
Thu Aug 29 16:05:59 1996
Date: Thu, 29 Aug 1996 14:23:03 -0400
To: "David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu
From: Michael Burati <burati@apollo.hp.com>
Errors-To: owner-www-security@ns2.rutgers.edu
At 11:01 AM 8/28/96 EDT, David M. Chess wrote:
>> not). What I really want is authorization based on who signed the applet
>> or by anything signed by a particular CA. Any unsigned applet should be
>> relegated to working within the limited sandbox given to it by the browser.
>want (or claim that we want). But is it what the typical corporate
>CIO wants, or should want? Should individual users be making that
>sort of fine-grained decisions? Should, for that matter, even
>sysadmins be making that sort of fine-grained decision? If we're
>talking bet-the-company here, it would seem plausible to me that
>a typical corporate installation would want to keep untrusted apps
>from doing anything at all, and (for reasons of convenience) would
>want to allow trusted apps to do many/most things. At least, that's
>what the scenario is based on.
I can't disagree with your points there. Limiting distribution of browsers
to pre-configured ones with preset levels of trust (company's CA, certain
well-known CAs and vendors...) may make sense in those cases.
I have no project related interest in what I was asking for (as I don't work
on web products anyway), it's just what I wanted personally, so I could decide
which applets I would allow to run...
