Re: Comments on [MANDATORY cert discovery capabiity]

[George Capehart <gwc@xxxxxxxx>]

Peter Williams wrote:
> 

[snip]

> An activeX control may be implemented using java, and imply
> all the assurances of the users java virtual machine.

True, but the operative word is "may."  'Softies around here generally
eschew Java for more esoteric languages like Visual Basic for their OCXs
. . .

> 
> I would agree that its important for any user/buyer of crypto
> to know and trust the source of his/her virtual machine,
> as much as the operating system. In some implementations,
> the viritual machine and OS are one and the same. The
> assurances, due to evaluation, of the OS kernel
> and reference monitor (e.g. NT) and reliance on
> CPU-based  privilege  mode enforcement can carry over to
> assure the VM to the same level as the OS,  to all intents and
> purposes.
> 
> This is a distinguishing factor of OS and non-OS
> java clients for serious users of actual  internet security
> technology.
> 
> A site's firewall can scan the activeX control's java
> opcodes and ensure they meet "security requirements"
> beyond mere well-formedness, before the control enters
> the enclosure for execution. And this is not theory...

Hmmmm, couple of thoughts.  First, not *every* potential recipient of
one of these controls is behind a firewall.  Secondly, the implication
is that firewall/proxy vendors need to implement a "streaming class
loader" that is smart enough to know to look for some very specific
things . . . for instance, that a control/applet is snooping for
wallets, keyrings, passwords, etc.  As an exercise, I;ve been trying to
design one of those that would provide reasonable throughput in my head
. . .  gave me a major headache.  ;-)  This ia *really* an interesting
problem!  Thanks for bringing it up.

rgds,

gwc