Re: Applet security (was Re: ActiveX security hole reported).

• To: "David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu
• Subject: Re: Applet security (was Re: ActiveX security hole reported).
• From: Michael Burati <burati@apollo.hp.com>
• Date: Thu, 29 Aug 1996 14:23:03 -0400

At 11:01 AM 8/28/96 EDT, David M. Chess wrote:
>> not).  What I really want is authorization based on who signed the applet
>> or by anything signed by a particular CA.  Any unsigned applet should be
>> relegated to working within the limited sandbox given to it by the browser.

>want (or claim that we want).  But is it what the typical corporate
>CIO wants, or should want?  Should individual users be making that
>sort of fine-grained decisions?  Should, for that matter, even
>sysadmins be making that sort of fine-grained decision?  If we're
>talking bet-the-company here, it would seem plausible to me that
>a typical corporate installation would want to keep untrusted apps
>from doing anything at all, and (for reasons of convenience) would
>want to allow trusted apps to do many/most things.  At least, that's
>what the scenario is based on.

I can't disagree with your points there.  Limiting distribution of browsers
to pre-configured ones with preset levels of trust (company's CA, certain
well-known CAs and vendors...) may make sense in those cases.

I have no project related interest in what I was asking for (as I don't work
on web products anyway), it's just what I wanted personally, so I could decide
which applets I would allow to run...

• Previous: RE: SSL and certificates
• Next: Announce: NCSA HTTPd 1.6b1 and XMosaic 2.6s_b1
• Index(es):
  • Index
  • Thread