Re: [GNU Crypto] how to deal with weak keys. was: Documentation

[Marcel Winandy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Raif!

Raif S. Naffah wrote:
> the java access control are "run-time" based permissions that can be
> altered by whoever installs, and/or have access to the launcher of the
> application.  using the -Djava.security option and an appropriate
> policy file, that person (or somebody on their behalf, or because of
> their action) can change the way the code behaves contrary to what the
> packager intended.

There is one important thing to consider about the Java security architecture. 
It heavily relies upon the execution environment in which the Java Virtual 
Machine is executed. Regarding the usual operating systems (with 
discretionary access control) anybody who can alter the way an application is 
launched will also be able to modify the code of the application.

- From this point of view there is no difference between conditional 
compilation 
and the property/permission approach.

There is another issue about the security manager. The security manager can be 
exchanged or even absent. Since J2SE, it is better to use the Access 
Controller directly because it is always present and cannot be exchanged.

Ciao,
 Marcel
- -- 
Marcel Winandy
EMail: address@hidden
http://www-student.informatik.uni-bonn.de/~winandy/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+2NUFjqlzsXwzXNwRAgbiAJ0UpBU5wPUGwK2qrRFashd6eEorrQCg54eR
wRO0P8Y+hG8sOw1BNTfowHM=
=rS9s
-----END PGP SIGNATURE-----