From: Alex Strasheim <cp@proust.suba.com>
Date: Sun, 25 Feb 1996 05:10:06 +0800
To: cypherpunks@toad.com
Subject: Re: REM_ote
In-Reply-To: <199602241942.OAA19580@homeport.org>
Message-ID: <199602242031.OAA01806@proust.suba.com>
MIME-Version: 1.0
Content-Type: text


> 	Until there's security oriented configurability, I can't say
> Netscape has anything better than an acceptable record.  They do a
> decent job of fixing the bugs, but only if you can enfore deployment
> of a new version, and ensure that old, bad features are not used.

I guess that I have confidence in Netscape because they have a history of 
responding to concerns posted here and elsewhere.  Security oriented 
configurability will be a good test -- I would be surprised if it doesn't 
come out soon.

What are we talking about specifically when we talk about security
oriented configurability?  Rather than just turning java(script) on and
off, wouldn't it be useful to piggyback off of the X.509 system that's
already in place?

For every CA's or server's cert, they'd just have to add two checkboxes:  
whether or not to run java applets or javascript code from servers 
vouched for by those certs.  Is that what people mean when they talk 
about configurability, or just the ability to shut down java*script) all 
together?