harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <dava...@gmail.com>
Subject Re: verifying signed jars
Date Fri, 10 Feb 2006 14:15:01 GMT
Folks,

FYI, we are going take some code from BC in juice project. Check [1]
for more info.

thanks,
dims

[1] http://mail-archives.apache.org/mod_mbox/xml-juice-dev/200601.mbox/%3C43CE5A15.6030202@t-online.de%3E

On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> Heh.  Everything we will do is legal :)
>
> The point is - would taking some source from BC be the smart thing to do
> - would it be complete, and what kind of maintenance burden would this
> be going forward?  Would some kind of re-packaged artifact from the BC
> project itself be better?
>
> Do we need source?  Could we have a step where we re-package BC code in
> a form more suited for our purposes?
>
> geir
>
> Mikhail Loenko wrote:
> > We can if it is legal
> >
> > Thanks,
> > Mikhail
> >
> > On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> >> So I'll ask the obvious - can we borrow some of this from BC?
> >>
> >> Stepan Mishura wrote:
> >>> We should have at least to verify BC provider:
> >>> 1) Message digest algorithm: SHA-1
> >>> 2) Signature algorithm: SHA1withDSA
> >>>
> >>> Other jars may require additional algorithms, for example, SHA1withRSA.
We
> >>> can verify BC provider first and use it for further jar verifications.
> >>>
> >>> Thanks,
> >>> Stepan Mishura
> >>> Intel Middleware Products Division
> >>>
> >>>
> >>>
> >>> On 2/10/06, George Harley <george.c.harley@googlemail.com> wrote:
> >>>> Hi Tim,
> >>>>
> >>>> In order to verify the signature of those signed provider jars I believe
> >>>> that you would also need trusted implementations of :
> >>>>
> >>>> * SHA-1 and MD5 digest algorithms
> >>>> * DSA and RSA signature algorithms
> >>>>
> >>>>
> >>>> Best regards,
> >>>> George
> >>>> IBM UK
> >>>>
> >>>>
> >>>> Tim Ellison wrote:
> >>>>> Stepan Mishura wrote:
> >>>>> <snip>
> >>>>>
> >>>>>> Returning back to the 'missing post'. I agreed with suggestion
but
> >>>> currently
> >>>>>> we don't have Harmony provider so we should define how we locate
> >>>> 'trusted
> >>>>>> provides' to be secure.
> >>>>>>
> >>>>> We just need a trusted SHA1PRNG, right? then we can open signed
> >>>>> providers' jars and get any others.
> >>>>>
> >>>>> Regards,
> >>>>> Tim
> >>>>>
> >>>>>
> >>>
> >>> --
> >>>
> >
> >
>


--
Davanum Srinivas : http://wso2.com/blogs/

Mime
View raw message