Re: will code signing enable me to do the following?

Marianne Mueller (mrm@eng.sun.com)
Tue, 28 Jan 1997 16:47:54 -0800

Date: Tue, 28 Jan 1997 16:47:54 -0800
Message-Id: <199701290047.QAA09784@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: aed@scruz.net
Subject: Re: will code signing enable me to do the following?

Let's see if I can answer your question without muddying the issue!

JDK 1.1 supplies the base technology for digital signatures. It's up
to the browser vendors what level of trust they'll assign to signed
applets. Right now, I don't know of any browser that is supporting
the Java signatures and I haven't heard any publically announced plans
for how they'll handle that.

In JDK 1.1, there's a tool called the appletviewer that is like a
browser, but it only understands one HTML tag, the <applet> tag. The
JDK 1.1 appletviewer is setup so that if an applet is signed by an
entity that is marked as trusted in your identity database, then that
applet has full access. For this reason you want to be careful
about what identities you mark as "trusted" in the identity database.
Refer to the "policy recommendations" page at
http://java.sun.com/security/policy.html

In the release after JDK 1.1, we will support finer grain access
control for signed applets, so that you'll be able to specify that
such-and-such applet can access a particular file (or read a
particular database) but not access any other files.

For your purposes, I think you will be able to accomplish what you
need to do with JDK 1.1 and any standalone Java appications, or the
appletviewer. Be sure the safeguard the private keys (preferably, do
not store them on the same system where you store your default JVM and
identity database. An offline system might be best.)

For auditing, you'll want to put audit hooks into your applet, and
take care to note who did what when, etc. Check out the Java
Server for examples of doing logging in Java
(http://java.sun.com/products/java-server)

Marianne

p.s. The main area for finding info about Java Security is
http://java.sun.com/security