harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Liang <richard.lian...@gmail.com>
Subject Re: verifying signed jars
Date Mon, 13 Feb 2006 03:53:24 GMT
That's a good idea :-)

Richard Liang
China Software Development Lab, IBM



Tim Ellison wrote:
> Why not contribute directly to BouncyCastle?
>
> Regards,
> Tim
>
> Mikhail Loenko wrote:
>   
>> The sources would be good - we would be able to fix bugs quickly and replace
>> parts of implementation for example where our code is faster.
>>
>> Thanks,
>> Mikhail
>>
>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>>     
>>> Heh.  Everything we will do is legal :)
>>>
>>> The point is - would taking some source from BC be the smart thing to do
>>> - would it be complete, and what kind of maintenance burden would this
>>> be going forward?  Would some kind of re-packaged artifact from the BC
>>> project itself be better?
>>>
>>> Do we need source?  Could we have a step where we re-package BC code in
>>> a form more suited for our purposes?
>>>
>>> geir
>>>
>>> Mikhail Loenko wrote:
>>>       
>>>> We can if it is legal
>>>>
>>>> Thanks,
>>>> Mikhail
>>>>
>>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>>>>         
>>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>>
>>>>> Stepan Mishura wrote:
>>>>>           
>>>>>> We should have at least to verify BC provider:
>>>>>> 1) Message digest algorithm: SHA-1
>>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>>
>>>>>> Other jars may require additional algorithms, for example, SHA1withRSA.
We
>>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>>
>>>>>> Thanks,
>>>>>> Stepan Mishura
>>>>>> Intel Middleware Products Division
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2/10/06, George Harley <george.c.harley@googlemail.com>
wrote:
>>>>>>             
>>>>>>> Hi Tim,
>>>>>>>
>>>>>>> In order to verify the signature of those signed provider jars
I believe
>>>>>>> that you would also need trusted implementations of :
>>>>>>>
>>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>>> * DSA and RSA signature algorithms
>>>>>>>
>>>>>>>
>>>>>>> Best regards,
>>>>>>> George
>>>>>>> IBM UK
>>>>>>>
>>>>>>>
>>>>>>> Tim Ellison wrote:
>>>>>>>               
>>>>>>>> Stepan Mishura wrote:
>>>>>>>> <snip>
>>>>>>>>
>>>>>>>>                 
>>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion
but
>>>>>>>>>                   
>>>>>>> currently
>>>>>>>               
>>>>>>>>> we don't have Harmony provider so we should define how
we locate
>>>>>>>>>                   
>>>>>>> 'trusted
>>>>>>>               
>>>>>>>>> provides' to be secure.
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>> We just need a trusted SHA1PRNG, right? then we can open
signed
>>>>>>>> providers' jars and get any others.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Tim
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>>>>>> --
>>>>>>
>>>>>>             
>
>   

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message