Updates to the Security FAQ

Joseph A. Gilvary (jgilvary@census.gov)
Wed, 21 Jan 1998 13:14:41 -0500

Message-Id: <34C63B11.C725DDA6@census.gov>
Date: Wed, 21 Jan 1998 13:14:41 -0500
From: "Joseph A. Gilvary" <jgilvary@census.gov>
To: java-security@web2.javasoft.com
Subject: Updates to the Security FAQ

We have developed a Java applet to access Census data products via our
intranet. This is a prototype of a dissemination tool we intend to
offer to the public at large and we have recruited a small set of
external testers to help us evaluate its effectiveness in meeting
their requirements. One potential tester has declined to participate,
citing unwarranted security concerns about Java. I would like to refer
them to you FAQ among other resources.

The Security FAQ online today was last updated in October. There are
specific rights which users must grant to our signed applet (Netscape
Object Signing with a Verisign Corporate SW Developer Certificate),
using Netscape's Capabilities Classes. Your FAQ mentions that "In
general, applets loaded over the net are prevented from reading and
writing files on the client file system, and from making network
connections except to the originating host" in question 1. True
enough, in general. But we download the Netscape Capabilities classes
to allow our signed applet to contact multiple hosts in our system.

No one can expect Sun or Javasoft to maintain the most up to date
information on the various implementations of Java enabled browsers.
But an acknowledgment of the evolving security implementations of the
major Java licensees, perhaps with a href to pertinent site(s), would
make the online FAQ a more complete reference.

Thanks,

Joe Gilvary
Data Access and Dissemination Staff
US Bureau of the Census
jgilvary@census.gov