> But, I don't think the Java folks should
> be trying to claim "secure sand box" in comparison
> to ActiveX until there have been enough iterations
> to get most of the bugs worked out. I'd buy
> a "less risk" arguement.
The thing is, though, that I don't see how these two statements follow from
each other. Security is ALWAYS a matter of more or less risk. That's all ANY
security argument is... varying degrees of risk. Thay have designed a secure
sandbox. I feel the design is flawed but good enough that the exposure is
minimal. Word documents, for example, are a much bigger problem.
> I also find it ironic that Java
> (in v 1.2 or 1.1?) is adopting the signed, non-protected
> applet model of ActiveX.
As I said, security doesn't sell. They are simply offering a less secure
model for people willing to take the risk.
> FWIW, I prefer the sandboxed concept. I'd just like
> to get through all the interations it takes to actually
> secure the stuff.
That's the point. The potential is there for Java to become quite a secure
environment. ActiveX, however, will become more INsecure as time goes on
because there's no revocation mechanism and as holes are found in applets
there will be more and more opportunity for vandals.