From: Rich Graves <llurch@networking.stanford.edu>
To: Marianne Mueller <mrm@netcom.com>
Message Hash: dd86a2bbf6bb0eb602da8944c8c69d76a1c9129afc2aff3f6580f3cd4d32c9c5
Message ID: <Pine.GUL.3.93.960427162243.9454C-100000@Networking.Stanford.EDU>
Reply To: <199604272256.PAA02672@netcom20.netcom.com>
UTC Datetime: 1996-04-28 06:09:07 UTC
Raw Date: Sun, 28 Apr 1996 14:09:07 +0800
From: Rich Graves <llurch@networking.stanford.edu>
Date: Sun, 28 Apr 1996 14:09:07 +0800
To: Marianne Mueller <mrm@netcom.com>
Subject: Re: Mindshare and Java
In-Reply-To: <199604272256.PAA02672@netcom20.netcom.com>
Message-ID: <Pine.GUL.3.93.960427162243.9454C-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain
On Sat, 27 Apr 1996, Marianne Mueller wrote:
> One thing I don't understand, why do you trust signed code?
>
> So you know the code is signed by Jack the Ripper. so what? How do
> decide what you want the code to be allowed to do? I think there's
> nothing for it but a kind of limited capabilities model built on top
> of the authentication mechanism.
I explained/retracted/fudged this in a later message.
Some of the things a valid signature from Jack the Ripper means:
1. If it breaks something, I can send Jack the Ripper a bug report, or
a flame, as appropriate.
2. If I like it, I can send Jack the Ripper money or other form of good
vibes.
3. If I am Jack the Ripper, I have a way of proving that the code is my
intellectual property.
4. If I'm not Jack the Ripper, I can say "That wasn't me."
5. If I am GNU, I can advertise and "enforce" my copyleft policy.
6. I have a way of knowing if Alice or Bob stuck a virus or trojan into
Jack's code.
"Trust" really isn't the right word for what I'm getting at. Microsoft's
digital signature initiative is basically FUD with the spin "Only stuff
signed or endorsed by Microsoft is going to work," but I don't think that
this spin is inherent in signed code initiatives generally.
I think it would be a waste of time to build a multitiered security model
where applets with certain classes of signatures would be allowed to do
more. But signatures are still useful in a flat security model.
I think this is already all being done for Java, though, so never mind,
probably. I was just responding in a generally applicable way.
-rich
Return to April 1996
Return to ““Vladimir Z. Nuri” <vznuri@netcom.com>”