Re: Java Crypto API questions
|> This is hard. It's probably not going to make it in the first |> release. The simple first pass is to say "code signed by x, |> y, and z" can do whatever it wants. | |Good thing Sun is spending millions pushing a brand-new language down our |throats so we can do nothing we couldn't already do. After all the hype |about security, security models, and sandboxes we get signed applets that can |do anything. What a let-down. Just to clarify a couple of things. We're not pushing anything down your throat. You are still perfectly free to use Visual C++ if that is what you prefer. A statement to the effect of "is probably not going to make it in the first release" means the following things: - If we can, we will make it happen (in some form) in the first release. We're just trying to set expectations realistically. - We think that the ability to let applets have free reign is useful,and since that is easier, we are certain to put it in the first release. - No matter what we do, we must address some very thorny issues of key management and user trust model, so doing this will be useful. |Currently, the only safe way to run untrusted Java code is to not run it. |This probably isn't going to change (see cpunks archives for reasons). If |Sun cannot prevent untrusted code from doing nasty things, how can they |prevent code empowered with certain capabilities from doing things they are |not certified to do? It now seems that all the effort, time, and money to |move towards Java over another OO language was a waste in a way since it no |longer appears to have any security advantages. Ignoring security, Java is |not a bad language at all, but it still has distinct disadvantages over some |of the possible alternatives (mainly immaturity, no dynamic message |invocation, interpreters still not ready for prime-time). The important thing to remember is that we're not going to come out with an implementation and claim to have solved the capabilities model problem. We're taking a first step at using signatures with Java for security purposes, but this is only a first step. We remain fully committed to finer and more powerful security models. Note that an application written to the Java platform will be able to implement security policies based on digital signatures which are not fully permissive. Cheers, -- Benjamin
Benjamin Renaud writes:
Good thing Sun is spending millions pushing a brand-new language down our throats so we can do nothing we couldn't already do. After all the hype about security, security models, and sandboxes we get signed applets that can do anything. What a let-down.
Just to clarify a couple of things. We're not pushing anything down your throat. You are still perfectly free to use Visual C++ if that is what you prefer.
Why, thank you. However, you haven't answered Mr. Lowenstern's point. Once you start signing Java apps, and executing them based on the trust implied in the signature, you really didn't need Java in the first place. You could just download and execute programs of any sort. Frankly, I really dislike the idea of my users downloading arbitrary apps all day long onto their workstations and running them. I'm not sure it really buys you too much, either, other than loss of security.
- We think that the ability to let applets have free reign is useful,
Lots of things are useful. Security often "gets in the way". However, as mature engineers operating in an environment where many users have highly mission critical equipment, some of us try to be more responsible than that.
The important thing to remember is that we're not going to come out with an implementation and claim to have solved the capabilities model problem.
We're taking a first step at using signatures with Java for security purposes, but this is only a first step. We remain fully committed to finer and more powerful security models. Note that an application written to the Java platform will be able to implement security policies based on digital signatures which are not fully permissive.
Java's security has always lacked defense in depth, continues to lack defense in depth, probably cannot be retrofitted to gain defense in depth, and is likely going to continue to be periodically penetrated. Java security continues to rely on the "all portions of the system are perfectly implemented" model, which as I have repeatedly noted in this forum is fundamentally flawed because humans can never produce perfectly designed and implemented systems. A system that was built to be failure tolerant would be better, but that isn't what you have proposed. I have a great fear. My great fear is that once you've solved the obvious and stupid problems and hyped how Java has become secure (which will doubtless make the stock market analysts happy), people may start to trust Java, and then, without warning, one day the evil applets on the web pages aren't going to be mere demonstrations any more but are going to be real nasty things that do stuff like embezzle money from your brand new funky ecash purse or whatever. At that point, it will be way too late to do anything because of all the Java crud pervading the net that all the users will insist on having access to. All this, mind you, to get fancy animation on web pages, and damn little else worthwhile. Perry
participants (2)
-
br@doppio.Eng.Sun.COM -
Perry E. Metzger