Date: Mon, 3 Mar 1997 23:10:29 -0800
Message-Id: <199703040710.XAA07027@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: nealmcb@bell-labs.com
Subject: Re: mistakes in your javakey pages, and practical security tips
Hi -
First, thanks for your thoughtful comments and helpful bug fixes. The
doc errors have been corrected and should show up on our external site
tomorrow.
> It also refers to random kbd input during signing. I was not
> asked for any in the jdk1.1-Final version. But I would expect it
> to ask!
In JDK 1.1, private keys are not encrypted, since there are no
encryption facilities in the JDK. This is a crucial point, as you
mention, and one that we should perhaps shout out more loudly than
we have to date. We're doing our best! I recognize the tutorial
material and policy material isn't adequate but it's just a start.
As the software and tools that are yet needed are developed, we'll
document them. The documentation that is there now simply states
what the current situation is.
The Q&A at
http://jeeves.javasoft.com/hypermail/java-security-archive/index.html
does talk about some future directions.
> I have many more thoughts on the tutorial, but I'm not done yet.
> In general, I think you really need to beef up your discussions
> of policy, and provide a "usingJavakey.html" which reflects
> the policy you recommend. E.g., as I currently understand it,
> following usingJavakey.html followed by an appletviewer session will
> allow a trusted applet to steal your private keys, since you don't
> take any precautions. Make it clear that people will always
> want to use different databases for signing and for browsing.
> Then in the future change the tools to make it harder to
> compromize yourself!
>
> Point out that identitydb.obj is created world-readable by default!
> Can't that be fixed??
>
> Take some lessons from the PGP documentation. Make your users
> paranoid. Otherwise you'll get a terrible reputation when non-experts
> start actually distributing signed applets which get compromized
> by willy hackers who impersonate the non-experts.
>
> http://www.pgp.net/pgpnet/
Your comments on the need for better documentation, and more focus on
how this software will be used by programmers, is right on. We're in
agreement!
Marianne
JavaSoft engineering, security