[Isolate-interest] Security and other "extras" with isolation on J2ME-CLDC

Pete Soper Pete@Soper.US
Sat, 24 Jul 2004 05:20:48 -0400 

Jesper Zuchlag wrote:

 > * The security aspects in the context of CLDC/MIDP must be analyzed 
and described further

I was under the impression that CLDC/MIDP has no security support, but 
that impression is based on year old data.

I should share a confession. When JSR-121 was launched, the "J2ME too" 
thinking did not extend "below" J2ME CDC except in the vaguest manner 
and it was a long, long time before the expert group could get past the 
idea that isolation on CLDC is "something like one constructor and two 
methods." And it is the case that we still lack the level of input from 
a CLDC user's perspective to keep all the issues visible.

And so, when the subject of security with CLDC came up, periodically, we 
all got uncomfortable and then immediately thought "well, of course it 
isn't JSR-121's responsiblity to invent security for CLDC too." So, 
although with the exposure of an Isolate constructor it immediately 
makes one think about security, there are other issues (imagine holding 
the end of a ball of yarn) like how to express something beyond a main 
class name that is, by definition, within the current scope. This in 
turn has typically made us imagine usage of isolation APIs within a CLDC 
context *exclusively* the domain of middleware developers working 
closely with the Java vendor such that some quantity of implementation 
defined support would always be present. I could go on about this, but 
confining the topic to just security, one of my basic assumptions is 
that an isolate would absolutely not be allowed access to its parent and 
application developers would absolutely not have isolation APIs 
available to them (note "application developers", not "the developers of 
the code that supports applications"). So the net of this tends to be 
"what security issues?"

But please comment on this subject and share your desires and concerns. 
For example, would you imagine it natural to have a "special" name-value 
string that determines whether an isolate can create other isolates? Is 
there some super-simple substitute for the "run with a security manager" 
mechanism available for J2SE and would this hold up to analysis?

This reminds me of an old saying, "as soon as you have a pocket then you 
need something to put in it." We could extend this to our discussion by 
saying "as soon as you have a pocket you have to worry about whether you 
can stand to have a second one and who's doing the sewing!" :-)


-Pete