[4724] in WWW Security List Archive
RE: Latest Java hole is Netscape/Sun only
daemon@ATHENA.MIT.EDU (Dennis Glatting)
Sat Mar 8 15:21:27 1997
From: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>
Date: Sat, 8 Mar 97 07:42:24 -0800
To: Thomas Reardon <thomasre@microsoft.com>
cc: "'Bob Denny'" <rdenny@dc3.com>,
"'WWW Security List'"
<WWW-SECURITY@ns2.rutgers.edu>
Reply-To: dennis.glatting@plaintalk.bellevue.wa.us
Errors-To: owner-www-security@ns2.rutgers.edu
> From: Thomas Reardon <thomasre@microsoft.com>
> Date: Fri, 7 Mar 1997 17:29:50 -0800
>
> [snip]
>
> As for your "who+what" assertion: The idea of
> capabilities-based-trust is a complication, not a
> simplication for end-users. That is, once you decide that you
> will depend on a trust-based system then that becomes the
> anchor for your security model, its not really complemented by
> the sandbox anymore. Sandboxes are great for *untrusted
> code*. And ActiveX is absolutely only good for *trusted* code
> (where trusted code is written&deployed within the firewall,
> or across the firewall via identifiable publishers).
>
With respect to both languages neither is a good Internet
solution, regardless of who signs the code.
With the code signature model there isn't a realistic method,
short of third party analysis of the source code and its
dependencies and world-wide legal liability, the signer
(assuming a third party) or the recipient has to believe the
code is trustworthy. From a security perspective, signing a
code blob offers little value other then verification of
transport. It is a "trust me" model, which the Snake Oil FAQ
offers appropriate commentary.
-dpg
