From: chess@us.ibm.com
To: java-security@java.sun.com
Date: Thu, 24 Jun 1999 11:57:25 -0400
Subject: Java security questions for upcoming talk
I'm co-authoring a paper on Java security that we'll present at this year's
Virus Bulletin conference, and in the face of a fast-approaching deadline I
realize that I don't know the answer to some very fundamental questions. Since
comp.lang.java.security doesn't even seem to have figured out how to use keytool
yet *8) I thought I'd go right to the source looking for some answers. I've
read the FAQ on the Java 2 1.2 plugin and all, but not found answers to these
things:
- When users upgrade to the Java 2 platform, either via the plugin or the OJI
version of Netscape (Netscape 5), will any of the existing applets that use
Netscape-specific or IE-specific sandbox-escaping calls still work? Or are all
those broken? If they all broken, is that OK because such applets are in fact
very rare in the real world?
- Has Microsoft announced any plans to support OJI, or otherwise more tightly
integrate Java 2 into IE, so that applets referenced with <APPLET> tags will be
run by Java 2, and so on?
- Exactly when and/or how often are the policy files accessed? If one does
centralized policy management by putting policy files on an Intranet Web server,
how often will a given Java 2 client machine hit the server? Conversely, how
long will it take for changes to the central policy file to get to all clients?
Are there general guidelines available on how to do centralized policy
management and control in an enterprise that uses the Java 2 platform
extensively?
Thanks for any and all answers or URLs or whatever! We have to have this paper
in by June 30th, so the more we can find out before then, the more accurate it
will be...
DC