Article 2523 of comp.lang.java.security: rune@apache.cc.uit.no (Rune Eidhammer) writes: > > To > be honest I have so far some difficulties seeing what the exact problem is. That's not surprising. But you're thinking along the right lines: > Trust is another matter. Trust is a user decision. How the user > makes that decision, whether it is a somekind of > preferences/configuration or a popup-window asking for permission, > isnot necessarily important. My question is then - if ActiveX uses > digital signature and the user is given the opportunity to deny > execution of scripts based on the author of it, how is ActiveX less > secure than java? The crucial issue is that Java supports partial trust. With Java, one can relax the security restrictions piecemeal, so that an applet has access only to a small number of resources -- those it truly needs -- and no others. For example, an applet which performs a word-processing or some other document editing function might be given read and write access to the files being edited, and read access to a personal spelling dictionary, and no others. There's still a potential for loss, but the loss would be localized and restricted. That ability to "contain and restrict" the risk is a good thing. There's a potential for loss in nearly everything we do -- for example, each time you put money in a vending machine, there's a chance that the machine will eat it and not deliver the goods. But you'll only lose the money you put in. Contrast that with a system whereby you hand over your whole wallet, the machine takes what it needs, and (hopefully) gives you the rest back. I don't think anyone is claiming that the situation with Java is perfect. In particular, a lot of work needs to be done to produce trust-management interfaces which are simple, clear, and easy to use. Java, though, has the infrastructure (a flexible security policy mechanism that can allow or deny access at a very fine-grained level) to support good solutions. ActiveX, on the other hand, supports two levels of trust: complete trust and complete distrust. If you distrust an ActiveX control, the only wise course of action is to simply not use it. If you trust it, you must trust it completely; once it is running on your system, it can do anything you can do, including immediate, obviously destructive things like formatting your hard drive, or more subtle things which would not be detectable until much later, long after the ActiveX control has erased itself from your system and been forgotten. Partial trust is *important*. Think about how many people you place trust in during your activities this week. Think about how many of those people you would trust with your life's savings. Now think about how difficult your week would be if you only had two choices: trust people with everything that's important to you, or don't trust them with anything. ---glv