MeadCo

About Security Manager

More : Security Manager technical data

Advanced controls such as Zeepe can bring significantly enhanced capability and functionality to web-based content and represent a powerful resource in the creation of fully-functional web-technology based applications.

When maliciously or carelessly applied, however, some such controls can be capable of violating both the integrity of a user's computer system and the privacy of the information it holds. And although a reputable developer or publisher will be quite willing to be identified and held accountable for the safe performance of their own controls, the nature of web-based technology and the method of its distribution means that a copied or stolen control can sometimes be mis-applied.

These issues -- together with the attendant publicity when something 'goes wrong' -- can make web technology users reluctant to accept anything other than 'standard' content. It is these concerns that MeadCo's Security Manager has been engineered to address and to satisfy.

MeadCo's Security Manager works like this:

• The Security Manager object is embedded into a page of web content. It references the MeadCo publishing license which has been issued to the publisher of the document, and which is located on the publisher's web server.
  
  
• When the document is accessed for the first time, the Security Manager control (installed on the user's machine as part of the Zeepe or ScriptX licensed download) 'looks' for a valid .MLF publishing license file and checks these three parameters:
  
  
  • Is the root URL from on or under which the content is being served identical to one whose address is bound into the license?
  • Is the license current, or has it expired?
  • Has the license been signed with Mead & Company's own Verisign keys? (Confirmation that the license file itself is original and intact, as issued).
• If Security Manager can confirm all three checks, then the license containing details of the publisher and the publisher's domain(s) -- together with the control(s) and other functions it may verify -- is presented to the user for acceptance.
  
  
• If Security Manager cannot find a valid publishing license, or if any of the three security requirements are not met, then the user is informed accordingly and the content will not be run.

Naturally it is for the user to chose whether or not to trust the publisher and agree or decline to accept the licensed content (except in the special 'silent' case of corporate intranet content) ... but such comprehensive validation by Security Manager has been proved to make acceptance much more likely.

ActiveX control domain binding issues:

When a valid license is accepted, any denoted ActiveX content will be bound to the domain it is being served from, as requested. If a page from any other domain happens to reference the same ActiveX control(s), it will obey the standard Internet Explorer security rules as defined by IE Security Zones (see MSKBQ182569 for technical details). This behaviour is provided for by MeadCo's custom implementation of Internet Explorer Security Manager.

Content and controls validated by a publishing license:

MeadCo's Security Manager is a 'standalone' component, and can therefore be used by developers and publishers to apply publishing licensing to their own applications, content and controls. So whilst MeadCo's controls such as Zeepe and ScriptX 'talk' to the Security Manager control in an intimate and useful way, the potential use for publishing licensing is very much broader.

The company's user-centric publishing licenses have proved to be 100% functional and secure over eight+ years of wide-scale corporate deployment.