harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Ellison <t.p.elli...@gmail.com>
Subject Re: verifying signed jars
Date Fri, 10 Feb 2006 21:15:52 GMT
Why not contribute directly to BouncyCastle?

Regards,
Tim

Mikhail Loenko wrote:
> The sources would be good - we would be able to fix bugs quickly and replace
> parts of implementation for example where our code is faster.
> 
> Thanks,
> Mikhail
> 
> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>> Heh.  Everything we will do is legal :)
>>
>> The point is - would taking some source from BC be the smart thing to do
>> - would it be complete, and what kind of maintenance burden would this
>> be going forward?  Would some kind of re-packaged artifact from the BC
>> project itself be better?
>>
>> Do we need source?  Could we have a step where we re-package BC code in
>> a form more suited for our purposes?
>>
>> geir
>>
>> Mikhail Loenko wrote:
>>> We can if it is legal
>>>
>>> Thanks,
>>> Mikhail
>>>
>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>
>>>> Stepan Mishura wrote:
>>>>> We should have at least to verify BC provider:
>>>>> 1) Message digest algorithm: SHA-1
>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>
>>>>> Other jars may require additional algorithms, for example, SHA1withRSA.
We
>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>
>>>>> Thanks,
>>>>> Stepan Mishura
>>>>> Intel Middleware Products Division
>>>>>
>>>>>
>>>>>
>>>>> On 2/10/06, George Harley <george.c.harley@googlemail.com> wrote:
>>>>>> Hi Tim,
>>>>>>
>>>>>> In order to verify the signature of those signed provider jars I
believe
>>>>>> that you would also need trusted implementations of :
>>>>>>
>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>> * DSA and RSA signature algorithms
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>> George
>>>>>> IBM UK
>>>>>>
>>>>>>
>>>>>> Tim Ellison wrote:
>>>>>>> Stepan Mishura wrote:
>>>>>>> <snip>
>>>>>>>
>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion
but
>>>>>> currently
>>>>>>>> we don't have Harmony provider so we should define how we
locate
>>>>>> 'trusted
>>>>>>>> provides' to be secure.
>>>>>>>>
>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>>>>>> providers' jars and get any others.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Tim
>>>>>>>
>>>>>>>
>>>>> --
>>>>>
>>>
> 

-- 

Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.

Mime
View raw message