On Thu, 11 Dec 1997, Joseph S. D. Yao wrote:
> Sounds like objects and methods.
Sounds like CORBA.
> And somebody will invent a way to infuse new methods into an object ...
> hey, presto! a virus in your data! Just what we've been trying to
> tell nethoax-frightened managers was not likely.
Viruses? It's worse!
In the currently used form CORBA is very unsecure. The Security
Service is not bad, it supports authentication, authorization, audit and
more, even non-repudation. There are some problems left, but compared to
the competitor (DCOM) CORBA's security concept is much superior.
The real problem is that most (almost all) CORBA ORB vendors didn't
implement this Security Service yet or are still in beta test. What you
really can buy now is not much more than a quick'n dirty hack. We
evaluated the "CORBA firewall" concepts of two leading vendors and are
absolutly not happy. Simple tunneling of IIOP in HTTP and using a
external packet filter for enforcement of the security policy is not
acceptable.
If you need CORBA security _now_ you have to do it yourself. But in most
cases users of big CORBA applications simply ignore security at all.
Rudi
Received on Dec 13 1997
Intro
