[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on [MANDATORY cert discovery capabiity]

To: Ben Laurie <ben@xxxxxxxxxxxxx>
Subject: Re: Comments on [MANDATORY cert discovery capabiity]
From: Peter Williams <peter@xxxxxxxxxxxx>
Date: Wed, 01 Oct 1997 13:02:48 -0700
Cc: George Capehart <gwc@xxxxxxxx>, "'ietf-pkix@xxxxxxxxxx'" <ietf-pkix@xxxxxxxxxx>
Organization: VeriSign
References: <> <> <> <> <>
Reply-to: peter@xxxxxxxxxxxx

Ben Laurie wrote:

> Peter Williams wrote:
> > A site's firewall can scan the activeX control's java
> > opcodes and ensure they meet "security requirements"
> > beyond mere well-formedness, before the control enters
> > the enclosure for execution. And this is not theory...
>
> Sounds more like marketing hype than theory to me. Who claims to be able
> to do this?
>

It may be marketing hype; fact and fiction oftenmerge when someone is trying
to sell your something
or otherwise seek to make you think the way which suits them.

http://www.microsoft.com/security/swdownload2.htm is what
I was thinking of.

Admittedly, on this page, there is not the vendor who claimed to scan
the java opcodes (versus merely exclude java applets).And I cant quite
remember the name of the product  (it may have been the
http://www.finjan.com/products/html/surfingate.html Surfingate product.)

This scenario doesn't seem unreasonable however. All java VMs scan
the opcodes during class loading. Moving the scanning/type-checking
to a firewall doesnt sound problematic. Adding scanning
rules beyond java saftey rules to enforce  local-acls of class references
or other parameters is just "programming". Again does not sound
beyond what java licensee's value-added securityManagers do anyway
on modern java end-systems!

Followups to mail, please. Getting way off legitimate PKIX topics.

> Cheers,
>
> Ben.
>
> --
> Ben Laurie            |Phone: +44 (181) 994 6435|Apache Group member
> Freelance Consultant  |Fax:   +44 (181) 994 6472|http://www.apache.org
> and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
> A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
> London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Peter Williams
Content-Disposition: attachment; filename="vcard.vcf"

Attachment converted: Lutefisk:vcard.vcf 18 (TEXT/R*ch) (0001C181)

References:
- RE: Comments on [MANDATORY cert discovery capabiity]
  - From: Carlisle Adams
- Re: Comments on [MANDATORY cert discovery capabiity]
  - From: Peter Williams
- Re: Comments on [MANDATORY cert discovery capabiity]
  - From: George Capehart
- Re: Comments on [MANDATORY cert discovery capabiity]
  - From: Peter Williams
- Re: Comments on [MANDATORY cert discovery capabiity]
  - From: Ben Laurie

Prev by Date: RE: Comments on [MANDATORY cert discovery capabiity]
Next by Date: Re: Comments on [MANDATORY cert discovery capabiity]
Previous by thread: Re: Comments on [MANDATORY cert discovery capabiity]
Next by thread: Re: Comments on [MANDATORY cert discovery capabiity]
Index(es):
- Date
- Thread