World: r3wp

Here's a few components of Trusted Scripts (this is only a draft 
-- open for feedback):
	* Default security model is tight -- how tight is TBD.

 * Developers that want to take advantage of Trusted Scripts, i.e. 
 to lower security for a production app, first must buy a license.key 
 from RT.

 * license.key unlocks  "features" and "permissions". Features are 
 things like encryption within the script. Permissions include file 
 sandbox, domain restrictions, dll loading permissions, etc.

 * license.key will contain contact info, so we can track down the 
 author of a malicious signed script if necessary.

Sounds in line with sdk: features for money. and you get some identity-check 
by money, good too. But you need something for the user to know what 
he is going to use. with url that is simple: stuff on this page. 
with signing its quite obfuscated. Shall i allow everything which 
RT gives a thumb up? Or are certicitates hardwired to domains?

Volker, good point. We may also provide a certificate verification 
dialog, i.e. "Joe Shmo from company XYZ produced this verified REBOL 
script. Would you like to allow it to run?" or something to that 
effect....I'm not positive here....just tossing ideas out there.

who provides verification?

REBOL Technologies.

do they have time and resources to sift through thousands of expertly 
crafted scripts per day? (just being positive about a future scenario 
:-))

We would not be verifying the script itself, we would be verifying 
the publisher. If the publisher signs a malicous script, we have 
detailed contact info to track him down.

That is the model used today in Authenticode and other code-signing 
technologies.

http://www.rebol.com/plugin/web-plugin-install.htmlJosh, it that 
URL really supposed to auto load the plug-in? I'm getting an error 
when it actually tries to install it.

We're, uh, working on that now :)

Are you running FireFox?

Great. Thought it was me. Yes, FF

Yes, we're looking into that now.

No problem. Thanks.

Actually, pg-2 is not working in IE either. However, it seems to 
go farther; I see a box where the app should  appear but no app.

james, in IE, do you see the information bar at the top of the page 
requesing your permission to install the plugin?

In IE no. FF, yes, but install fails.

We are pleased to announce a new release of REBOL/Plugin. This release 
includes several new features, including:

 * Multiple instance support -- you can now have up to 5 instances 
 within one IE process.

 * Automatic updating -- after this release, backwards-compatible 
 updates will come automatically with user consent (no uninstall required).
	* Smooth install for FireFox and Mozilla.org-based browsers

 *Now compatible with Opera and all Mozilla browsers compatible with 
 npruntime. 
	*do-browser now functions in Mozilla.

It might be me. Let me uninstall first. I did this in FF but not 
IE. Hold on...

To install the new plugin, please follow the steps listed at http://www.rebol.com/plugin/install.html.

Note: You MUST remove previous versions of the plugin before installing 
the new plugin. Please follow the steps in the above install guide.


Also, FireFox/Mozilla users: You MUST add rebol.com to your list 
of approved software installation web sites. Again, please follow 
the steps in the above install guide.

Please post feedback to this group. We'd  love to hear your what 
you think!

James, please see the instructions in the install guide related to 
uninstallation of previous versions and adding rebol.com to your 
approved sites list.

Well, so far IE is a no go here. I closed all IE and deleted the 
files. At this point it just goes to the install page and I see the 
"blank" box.

Win 2000 Pro OS btw if that matters.

Works well here with IE (after uninstalling previous plugin version). 
(WinXP SP1)

Click here to find out why
 links to a page which says that only IE is supported

Yeah I saw that and thought, "Oh, that's why."

Back. Thought I would reboot to see if that had any effect. None, 
sad to say.

Well, I went back to FF and added rebol.com. This time it downloaded 
the plugins (2 files, viewdll.dll and nprbmzpl.dll) and screen changed 
slightly in that I no longer see all of the white box that is supposed 
to be red and blue. It is cut off on the top.

Is there a method for IE to allow sftware installs like that of FF?

Josh, would you be open to providing files so I can manually install 
and verify that it works once loaded.

Is the plugin served from an HTTPS site? It would be nice to avoid 
man-in-the-middle attacks. I'm always a little wary of putting non-SSL 
sites on the trusted sites list.


For that matter, when you have one site serving the html and script, 
and another serving the plugin, which site needs to be trusted, as 
far as the major browsers are concerned? I would think just the plugin 
serving site, but I don't quite remember right now...

My main desktop system is running Windows Server 2003 with the browser 
security settings enabled. It prohibits any ActiveX controls from 
running in IE at all unless they come from sites on the trusted list. 
It won't even give you the option unless you turn off the browser 
security.

Needless to say, this makes me much more comfortable with using IE, 
but it isn't really practical. So I use Firefox.

However, it does render IE safe enough to browse shady sites.

Well, that was painless.

My chat program still works...

Hmm.  Illegal operation in plugin.

only in firefox and not IE.

And enable javascript in ff .. (was stupid enough to forget that. 
thenno auto-install)

Brian. Mashups (as I'm referring to) is the common term for webapps 
that utilise numerous webservices and combined in the browsers. But 
I hope you can come up with a security method that allows us to utilise 
advertising, google adwords-api, flickr, amazon-api, numerous maps, 
calendars. etc ; without having to combine on a single server before 
it goes out to the clients rebol plugin. I can do all this now in 
a browser, but I won't be able to with a rebol-plugin?

How would you check for a mashup?

Instead of somebody making your machine a proxy?

security vs useful ... I know it's a tough call. Just pointing out 
how some of the multi-services from different domains is so common 
now. (just disable 3rd party cookies in your browser to see how many 
warning message you get)

Btw does that mean a page from the web can access my local test-webserver?

there is a lot of usefull without mashup.

And there is mashup with signed scripts.

simple question. Will a plugin be allowed to read data [get, post, 
or soap] from a website other than the one that the script came from?

Uhm, and there is do-browser?