<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.2800.1555" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi Rob,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>> You're saying Java's security model is adequate for what people want
to do on the Web. </DIV>
<DIV>> I say that is unproven since people are not using Java on the Web.
</DIV>
<DIV>> *Why* they are not using Java on the Web is irrelevant.<BR></DIV>
<DIV><FONT face=Arial size=2>I certainly don't know what's on every
web-page out there, but when it comes to Java Applets and the security
model, the following recent developments may be of interest (especially the
crossdomain stuff): -</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><A href="https://jdk6.dev.java.net/plugin2/"><FONT
face="Times New Roman"
size=3>https://jdk6.dev.java.net/plugin2/</FONT></A><BR><A
href="http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html"><FONT
face="Times New Roman"
size=3>http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html</FONT></A></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Cheers Richard Maher</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=robert@ocallahan.org href="mailto:robert@ocallahan.org">Robert
O'Callahan</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=elharo@metalab.unc.edu
href="mailto:elharo@metalab.unc.edu">elharo@metalab.unc.edu</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=whatwg@lists.whatwg.org
href="mailto:whatwg@lists.whatwg.org">whatwg@lists.whatwg.org</A> ; <A
title=lcamtuf@dione.cc href="mailto:lcamtuf@dione.cc">Michal Zalewski</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Saturday, September 27, 2008 8:38
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [whatwg] Dealing with UI
redress vulnerabilities inherent tothe current web</DIV>
<DIV><BR></DIV>
<DIV dir=ltr>On Sat, Sep 27, 2008 at 11:55 AM, Elliotte Rusty Harold <SPAN
dir=ltr><<A
href="mailto:elharo@metalab.unc.edu">elharo@metalab.unc.edu</A>></SPAN>
wrote:<BR>
<DIV class=gmail_quote>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">As
I said, it's an existence proof. Sun's inability to provide decent developer
tools (unlike Adobe) doesn't reflect on the capability of the
model.<BR><FONT color=#888888></FONT></BLOCKQUOTE>
<DIV> </DIV></DIV>That has nothing to do with it.<BR><BR>You're saying
Java's security model is adequate for what people want to do on the Web. I say
that is unproven since people are not using Java on the Web. *Why* they are
not using Java on the Web is irrelevant.<BR><BR>In fact, people are doing a
lot of things on the Web, using cross-origin IFRAMEs, that are not possible
with the Java model.<BR><BR>Or maybe you're not saying that. Maybe you're just
saying "the Java model is secure" and not claiming it meets people's needs. In
that case, you may be right, but that's not very interesting --- it's easy to
come up with safe, simple security models that don't provide the functionality
people want.<BR clear=all><BR>Rob<BR>-- <BR>"He was pierced for our
transgressions, he was crushed for our iniquities; the punishment that brought
us peace was upon him, and by his wounds we are healed. We all, like sheep,
have gone astray, each of us has turned to his own way; and the LORD has laid
on him the iniquity of us all." [Isaiah
53:5-6]<BR></DIV></BLOCKQUOTE></BODY></HTML>