Date: Thu, 27 Feb 97 06:41:02 PST
Message-Id: <9702271441.AA23772@lever.dr.lucent.com>
From: Neal McBurnett <nealmcb@lucent.com>
To: java-security@java
Subject: mistakes in your javakey pages, and practical security tips
In http://java.sun.com/security/usingJavakey.html you refer to
the "-ga" option of javakey. You mean "-gk". You got it right
in the summary, but not further down.
% javakey -ga "duke" DSA 512 duke_pub duke_priv
In your javakey doc:
http://www.javasoft.com/products/jdk/1.1/docs/tooldocs/solaris/javakey.html
You refer to the "java" directory. It was there in jdk1.1-beta2,
but is no longer there (thank goodness! It caused compatibility
hassles with jdk1.0.2).
java.home/lib/security, where java.home is
the directory named "java" in the JDK installation directory.
It also refers to random kbd input during signing. I was not
asked for any in the jdk1.1-Final version. But I would expect it
to ask!
I have many more thoughts on the tutorial, but I'm not done yet.
In general, I think you really need to beef up your discussions
of policy, and provide a "usingJavakey.html" which reflects
the policy you recommend. E.g., as I currently understand it,
following usingJavakey.html followed by an appletviewer session will
allow a trusted applet to steal your private keys, since you don't
take any precautions. Make it clear that people will always
want to use different databases for signing and for browsing.
Then in the future change the tools to make it harder to
compromize yourself!
Point out that identitydb.obj is created world-readable by default!
Can't that be fixed??
Take some lessons from the PGP documentation. Make your users
paranoid. Otherwise you'll get a terrible reputation when non-experts
start actually distributing signed applets which get compromized
by willy hackers who impersonate the non-experts.
Cheers,
Neal McBurnett <nealmcb@bell-labs.com> 503-331-5795 Portland/Denver
Bell Labs Innovations for Lucent Technologies
http://bcn.boulder.co.us/~neal/ (with PGP key)