[cap-talk] Google TechTalk lecture series, HP--Fix Java Web Start

[John Carlson]

>>
>> 1.  05:40: "This approach <POLA> has been used many
>> times in the past and it has always failed."
>
> I don't believe that I said that POLA failed.  At least I didn't  
> intend
> to.  What has failed are systems that enforce fine-grained access
> control [ FGAC ] and continually ask for confirmation, e.g., Java  
> WebStart.  Your
> point that combining designation with authorization "has simply been
> essentially ignored" is exactly the point I was trying to make.

This was more the along the lines of what I heard.  I agree with
Alan's assessment.  I think that Java Web Start FGAC can be fixed  
however,
since it's merely another jar file shipped with the application.  The
trick will be to hook into the sandbox security.  I'm not saying Java  
Web
Start is perfect, just that it can be changed, probably in a backwards
compatible fashion (by replacing the whole API, if necessary).   I would
be glad to discuss why this wouldn't be possible.  If we have to, we  
could
provide a whole new javaws binary with the appropriate combination
of designation with authorization.  Perhaps we could take elements
of CapDesk and DarpaBrowser, and create a capjavaws program.
Perhaps this should be a goal of Joe-E
>>
>> That talk was on the 5th?  My birthday.  I hope you had as
>> much fun that day as I did Alan...
>>
> Happy Birthday to you!!!  How does it feel to be an old man of 40?
>

Hmm.  I was thinking that Jed was my brother's age, which would make  
him 50.

John