From: fc@all.net (Dr. Frederick B. Cohen)
Date: Mon, 9 Oct 95 03:44:46 PDT
To: cypherpunks@toad.com
Subject: The problem with Java
Message-ID: <9510091042.AA13473@all.net>
MIME-Version: 1.0
Content-Type: text


The way I see it, the real problem with Java is that there is no
clear statement of the "security" goals it is supposed to attain.
It's one thing to declare a concept or an implementation "secure"
but it's quite another to tell us what the security claims are and
demonstrate that they are met.  Specifically:

	Do the makers of Java claim it can authenticate the
	source of programs it runs?

	Do the makers of Java claim it can prevent someone from using
	your client to attack other servers?

	Do the makers of Java claim it can prevent denial of services or
	consumption of all available resources on the client machine?

	Do the makers of Java claim it can maintain integrity or
	confidentiality of something?

I have read the white paper on Java and I still don't know the answer to
these questions.  Until I do, it's hard to assess the "security" of
Java, but I can tell you this.  I bet that at least two, probably three,
and maybe even all four of these are not accomplished by Java. 

-- 
-> See: Info-Sec Heaven at URL http://all.net Management Analytics -
216-686-0090 - PO Box 1480, Hudson, OH 44236