Li Gong, chief architect and distinguished engineer for Sun Microsystems, has repudiated criticism of Java as insecure, and has clarified the new security models in a recent version of the platform-independent programming language. Originally, Java’s ‘sandbox’ model meant that applets could not open local files or make connections. After a while it became clear that while on the one hand this model is simple and comfortable, on the other hand, people sometimes want to customize their applets, Gong said. That’s why, in version 1.2 of Java, Sun introduced the concept of secure policy management. This means that the boundaries of the sandbox are flexible and can be reset. I sympathize with the people who have fears about Java security, Gong confesses. In practice, I can’t give a mathematical or logical proof that Java is secure. But before you go and buy whatever product is being advertised to stop Java, you might want to think about the ActiveX, email and PostScript content you use every day. Among them, Java is quite likely to be the most secure because the others do not even think about security. In addition, the source code to those technologies has not been published, meaning they have not been subjected to the same degree of peer review Java has had to endure, Gong says. New versions of Java are likely to update network protocols where Sun now admits support is deficient, notably in the cases of HHTP 1.1 and SOCKS 5. Sun is also looking to add support for IPv6, IPSec, multicast and RSVP. We want to provide high level APIs that encapsulate features like an authentication function. We want to be able to solve single sign on as it relates to the Java platform, Gong says. These are the sorts of issues we pay a lot of attention to. That’s why it might take longer for us to issue one of our APIs, whereas some companies just throw a few things together. In concluding, Gong told developers they could expect the next major Java road map at the JavaOne conference in March or April 1999.