harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geir Magnusson Jr <g...@pobox.com>
Subject Re: verifying signed jars
Date Fri, 10 Feb 2006 12:31:27 GMT
So I'll ask the obvious - can we borrow some of this from BC?

Stepan Mishura wrote:
> We should have at least to verify BC provider:
> 1) Message digest algorithm: SHA-1
> 2) Signature algorithm: SHA1withDSA
> 
> Other jars may require additional algorithms, for example, SHA1withRSA. We
> can verify BC provider first and use it for further jar verifications.
> 
> Thanks,
> Stepan Mishura
> Intel Middleware Products Division
> 
> 
> 
> On 2/10/06, George Harley <george.c.harley@googlemail.com> wrote:
>> Hi Tim,
>>
>> In order to verify the signature of those signed provider jars I believe
>> that you would also need trusted implementations of :
>>
>> * SHA-1 and MD5 digest algorithms
>> * DSA and RSA signature algorithms
>>
>>
>> Best regards,
>> George
>> IBM UK
>>
>>
>> Tim Ellison wrote:
>>> Stepan Mishura wrote:
>>> <snip>
>>>
>>>> Returning back to the 'missing post'. I agreed with suggestion but
>> currently
>>>> we don't have Harmony provider so we should define how we locate
>> 'trusted
>>>> provides' to be secure.
>>>>
>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>> providers' jars and get any others.
>>>
>>> Regards,
>>> Tim
>>>
>>>
>>
> 
> 
> --
> 

Mime
View raw message