On 10/01/2010 03:00 PM, Michal Kleczek wrote:
3. I agree with Tom that making sure the code comes from a known source is enough to make a decision whether to run this code or not. But Jini already checks that (well... almost)- the only hole is that the check is done _after_ deserialization - so it means the code was executed _before_ the check was done. My question actually is - why don't we check an object before it is deserialized?
A possible solution might be, to enforce code download to use TLS and verify if the othersides ceritificate matches the downloaders trustlist. We can extends this by enforcing the downloaded jars/classes to be signed with a similar certificate.
A "once bitten measure" could be, if a server violates this rule, it will automatically be taken of the trustlist.
Gr. Sim
