[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft's "answer" to Java



I recieved a copy of "Microsoft Interactive Developer" today in the mail.
In it, it has a preview of Microsoft Explorer 3.0. (Flux by David Boling on
page 120.)

Of interest to Cypherpunks is this paragraph (in the section on OLE support
in web browsers):

"Since OLE controls could potentially pose a security problem, Microsoft is
studying how to create an infrastructure to certify them.  The idea is that,
once certified, an OLE control would contain an RSA security signature
indicating that it has passed muster -- the OLE eqivelent if the Good
Housekeeping Seal of Approval! Users of Internet Explorer 3.0 could specify
whether or not noncertified OLE controls should be loaded and executed by
the browser."

As a web developer, I have some problems with this scheme.  Giving Microsoft
access to virtually every OLE control on the Web does not make me more
secure.  Sounds like a way to rip off ideas from the rest of the development
world.  If someone has a control that might compete with a Microsoft
product, it could be shelved and/or delayed for "further security testing".

Java has a decentralized mechanism for security.  No one group controls what
is a "certified" control and what is not.  You write the code and compile it
and that is that. Furthermore, you are not stuck with Microsoft approved
platforms.  (I wonder if there will ever be a version of Explorer for the Mac.)

I expect the Microsoft plan to garner a bit of resistance from the Web
development community over this one...

I do not expect to see many OLE crypto apps for the web with this plan.
 
---
Alan Olsen -- [email protected] -- Contract Web Design & Instruction
        `finger -l [email protected]` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
  "We had to destroy the Internet in order to save it." - Sen. Exon