harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Ellison <t.p.elli...@gmail.com>
Subject Re: verifying signed jars
Date Mon, 13 Feb 2006 10:31:30 GMT
My comment was directed towards:

Mikhail Loenko wrote: "The sources would be good - we would be able to
fix bugs quickly and replace parts of implementation for example where
our code is faster."

i.e. why not fix bugs and make it go faster for everyone -- no need to fork.

Regards,
Tim

Mikhail Loenko wrote:
> How will it solve our problem with verifying signed jars?
> 
> Thanks,
> Mikhail
> 
> On 2/13/06, Richard Liang <richard.liangyx@gmail.com> wrote:
>> That's a good idea :-)
>>
>> Richard Liang
>> China Software Development Lab, IBM
>>
>>
>>
>> Tim Ellison wrote:
>>> Why not contribute directly to BouncyCastle?
>>>
>>> Regards,
>>> Tim
>>>
>>> Mikhail Loenko wrote:
>>>
>>>> The sources would be good - we would be able to fix bugs quickly and replace
>>>> parts of implementation for example where our code is faster.
>>>>
>>>> Thanks,
>>>> Mikhail
>>>>
>>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>>>>
>>>>> Heh.  Everything we will do is legal :)
>>>>>
>>>>> The point is - would taking some source from BC be the smart thing to
do
>>>>> - would it be complete, and what kind of maintenance burden would this
>>>>> be going forward?  Would some kind of re-packaged artifact from the BC
>>>>> project itself be better?
>>>>>
>>>>> Do we need source?  Could we have a step where we re-package BC code
in
>>>>> a form more suited for our purposes?
>>>>>
>>>>> geir
>>>>>
>>>>> Mikhail Loenko wrote:
>>>>>
>>>>>> We can if it is legal
>>>>>>
>>>>>> Thanks,
>>>>>> Mikhail
>>>>>>
>>>>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
>>>>>>
>>>>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>>>>
>>>>>>> Stepan Mishura wrote:
>>>>>>>
>>>>>>>> We should have at least to verify BC provider:
>>>>>>>> 1) Message digest algorithm: SHA-1
>>>>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>>>>
>>>>>>>> Other jars may require additional algorithms, for example,
SHA1withRSA. We
>>>>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Stepan Mishura
>>>>>>>> Intel Middleware Products Division
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2/10/06, George Harley <george.c.harley@googlemail.com>
wrote:
>>>>>>>>
>>>>>>>>> Hi Tim,
>>>>>>>>>
>>>>>>>>> In order to verify the signature of those signed provider
jars I believe
>>>>>>>>> that you would also need trusted implementations of :
>>>>>>>>>
>>>>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>>>>> * DSA and RSA signature algorithms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> George
>>>>>>>>> IBM UK
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Tim Ellison wrote:
>>>>>>>>>
>>>>>>>>>> Stepan Mishura wrote:
>>>>>>>>>> <snip>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Returning back to the 'missing post'. I agreed
with suggestion but
>>>>>>>>>>>
>>>>>>>>> currently
>>>>>>>>>
>>>>>>>>>>> we don't have Harmony provider so we should define
how we locate
>>>>>>>>>>>
>>>>>>>>> 'trusted
>>>>>>>>>
>>>>>>>>>>> provides' to be secure.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> We just need a trusted SHA1PRNG, right? then we can
open signed
>>>>>>>>>> providers' jars and get any others.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Tim
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>
>>
> 

-- 

Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.

Mime
View raw message