[4723] in WWW Security List Archive
Snake Oil FAQ
daemon@ATHENA.MIT.EDU (Bob Denny)
Sat Mar 8 15:18:57 1997
From: "Bob Denny" <rdenny@dc3.com>
Date: Sat, 8 Mar 1997 09:31:01 -0800
In-Reply-To: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>
"RE: Latest Java hole is Netscape/Sun only" (Mar 8, 7:42)
To: dennis.glatting@plaintalk.bellevue.wa.us
Cc: "'WWW Security List'" <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
[was: RE: Latest Java hole is Netscape/Sun only -- subject line changed to
curb MS PR-spin verbage ("latest", and "Netscape/Sun only")]
Dennis --
The Snake Oil FAQ... thank you for reminding us of that. For the rest of the
folks on this list (at least those who don't want to search for "Snake Oil
FAQ" on AltaVista):
http://www.research.megasoft.com/people/cmcurtin/snake-oil-faq.html
Anyway, the "trust me" commentary in the SOF doesn't aim directly at the folly
of a trust-only security system. It pertains to vendors who try to hide the
details of their system (thus violating another, but different, basic rule).
I agree with your comments regarding the "code signature model". However, I
don't agree that Java and ActiveX are the same. Java is not trust-only,
ActiveX is. There is a difference. With Java, you can adjust the privileges
the applet has based on your level of trust of the code. The signature
provides identity, you provide the evaluation of trust, and then you adjust
the privileges.
On Mar 8, you wrote:
> Subject: RE: Latest Java hole is Netscape/Sun only
>
> With respect to both languages neither is a good Internet
> solution, regardless of who signs the code.
>
> With the code signature model there isn't a realistic method,
> short of third party analysis of the source code and its
> dependencies and world-wide legal liability, the signer
> (assuming a third party) or the recipient has to believe the
> code is trustworthy. From a security perspective, signing a
> code blob offers little value other then verification of
> transport. It is a "trust me" model, which the Snake Oil FAQ
> offers appropriate commentary.
>
>
> -dpg
>-- End of excerpt from you --
