Re: Java applet security, exportability, Jon Postel haiku

Perry E. Metzger (perry@piermont.com)
Tue, 27 Oct 1998 08:33:32 -0500

• Next message: Dave Del Torto: "anonymous Java thin client"
• Previous message: Reeza!: "Re: whoCodherPlunks"
• In reply to: DreadThyme@aol.com: "whoCodherPlunks"
• Next in thread: Bill Frantz: "Re: Java applet security, exportability, Jon Postel haiku"
• Reply: Bill Frantz: "Re: Java applet security, exportability, Jon Postel haiku"

Bill Frantz writes:
> >My suggestion: why re-implement what is already available in the
> >program? The java applet is allowed to open an https: URL on the
> >server if it wishes. Have it do so, and download your session keys
> >that way.
> >
> >I've built several systems already that use this trick. 'taint pu'rty,
> >but it does the job.
>
> Perry - How is the HTTPS session key selected.

The randomness for it is derived using whatever method the browser
normally uses for selecting the thing. It is true that you are
dependent on the browser, but I suspect it is easier to get good
randomness in C than in Java. The code for Netscape's RNG is fairly
public, too.

Perry

• Next message: Dave Del Torto: "anonymous Java thin client"
• Previous message: Reeza!: "Re: whoCodherPlunks"
• In reply to: DreadThyme@aol.com: "whoCodherPlunks"
• Next in thread: Bill Frantz: "Re: Java applet security, exportability, Jon Postel haiku"
• Reply: Bill Frantz: "Re: Java applet security, exportability, Jon Postel haiku"