[2854] in WWW Security List Archive
Re: Applet security (was Re: ActiveX security hole reported).
daemon@ATHENA.MIT.EDU (Paul Rarey)
Fri Aug 30 13:42:27 1996
From: Paul Rarey <Paul.Rarey@Clorox.com>
Date: Wed, 28 Aug 1996 17:04:44 -0700
In-Reply-To: Alireza Bahreman <bahreman@eit.com>
"Re: Applet security (was Re: ActiveX security hole reported)." (Aug 27, 15:05)
Reply-To: Paul Rarey <Paul.Rarey@Clorox.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Aug 27, 15:05, Alireza Bahreman wrote:
> Subject: Re: Applet security (was Re: ActiveX security hole reported).
>
>EIT has developed two approaches for Applet Security (no fine grain auth):
>1) Use RSA to sign applets and verify at the browser side before allowing
>access
What enveloping strategy would be used to carry the signature and object?
>2) Wrap Applets inside MOSS messages (secure MIME)
This I like. The S/MIME folks will want it a different way though (I'm not keen
on S/MIME). The down side is - I've heard a bit about MOSS being to "big" to
easily implement (IMC Resolving Security work).
How about something along the lines of rfc1847?
>we have also thought of another alternative which we have not developed or
>tested. That is use of SSL to download applets (as in https://blaw.blaw...).
I don't see how SSL allows the execution engine (Java or ActiveX) to
authenticate the object(s), only to authenticate the server it came from. Good,
but seems complete.
[ snip ]
Cheers!
[ psr ]
