Re: Java applet security, exportability, Jon Postel haiku

Perry E. Metzger (perry@piermont.com)
Wed, 28 Oct 1998 11:03:56 -0500

• Next message: bram: "Re: Java applet security, exportability, Jon Postel haiku"
• Previous message: Eric Rescorla: "Re: Java applet security, exportability, Jon Postel haiku"
• In reply to: Mark Tillotson: "Re: Java applet security, exportability, Jon Postel haiku"
• Next in thread: Enzo Michelangeli: "Re: Java applet security, exportability, Jon Postel haiku"

Bill Frantz writes:
> At 5:33 AM -0800 10/27/98, Perry E. Metzger wrote:
> >Bill Frantz writes:
> >> >My suggestion: why re-implement what is already available in the
> >> >program? The java applet is allowed to open an https: URL on the
> >> >server if it wishes. Have it do so, and download your session keys
> >> >that way.
> >> >
> >> >I've built several systems already that use this trick. 'taint pu'rty,
> >> >but it does the job.
> >>
> >> Perry - How is the HTTPS session key selected.
> >
> >The randomness for it is derived using whatever method the browser
> >normally uses for selecting the thing. It is true that you are
> >dependent on the browser, but I suspect it is easier to get good
> >randomness in C than in Java. The code for Netscape's RNG is fairly
> >public, too.
>
> In an ideal world, it would be the same source. However, I expect that
> Netscape/Microsoft hasn't modified the java.security classes to use a
> better source of randomness.

We aren't talking about using the java.security classes at all. I
suggested opening an https: url. These are not the same sort of thing.

Perry

• Next message: bram: "Re: Java applet security, exportability, Jon Postel haiku"
• Previous message: Eric Rescorla: "Re: Java applet security, exportability, Jon Postel haiku"
• In reply to: Mark Tillotson: "Re: Java applet security, exportability, Jon Postel haiku"
• Next in thread: Enzo Michelangeli: "Re: Java applet security, exportability, Jon Postel haiku"