Documents describing approach/philosophy/architecture of future Java 7 Applet security improvements

Holger Brands holger.brands at googlemail.com
Sat Aug 3 02:12:14 PDT 2013 

I've found at least some information here:
http://jdk7.java.net/EA_features_changes.html

The deployment rule set and the option to disable the "JREout of date"
warning seem to be interesting.
But I didn't see any official blog or explanation from Oracle yet.

In my opinion, there needs to be an open communication channel (like a
mailinglist)
for the security and deployment stuff, so Oracle and the community can
discuss issues and feedback more transparently.
Unfortunately, the deploy stack doesn't seem to be part of OpenJDK and the
Oracle forums
are mainly thought as a user to user forum, I think.

Holger

2013/8/1 Ludwig, Mark <ludwig.mark at siemens.com>

> Greetings,
>
> I represent a commercial software organization with numerous signed Java
> Applets deployed by hundreds of large IT organizations around the world.
>  Most are invoked by JavaScript.  I don't know exactly how many end users
> we have, but it's safe to say it's >10,000 and perhaps >100,000.  The
> application is for file management, so naturally the Applets are designed
> to work with user's directories/folders and files.
>
> We have been mostly blind-sided by Java 7 Updates 21 & 25, and I fear that
> Update 40 will hit us again in some unexpected way.
>
> We are trying to change our Applet architecture to align with the
> go-forward approach, but I can't seem to find any decent forward-looking
> information.  Somewhere, probably inside Oracle, such plans exist.  Are
> they secret?  If not, can they be shared?
>
> To be clear, those of us who understand how Applets work in browsers
> (including JavaScript integration) have known about most of the security
> problems that have been fixed already.  What we need to know is the
> ordering/pacing of forthcoming security changes, so we have a chance of
> focusing our work to deploy patches to customers timed to align with the
> time when Oracle sends Java updates.
>
> Thanks,
>
> Mark Ludwig
> Lifecycle Coll
> Product Lifecycle Management
>
> Siemens Industry Sector
> Siemens Product Lifecycle Management Software Inc.
> 5939 Rice Creek Parkway
> Shoreview, MN  55126 United States
> Tel.      :+1 (651) 855-6140
> Fax      :+1 (651) 855-6280
> ludwig.mark at siemens.com <ludwig.mark at siemens.com%20>
> www.siemens.com/plm
>
>

More information about the jdk7u-dev mailing list