harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stepan Mishura <stepan.mish...@gmail.com>
Subject Re: verifying signed jars
Date Fri, 10 Feb 2006 10:51:43 GMT
We should have at least to verify BC provider:
1) Message digest algorithm: SHA-1
2) Signature algorithm: SHA1withDSA

Other jars may require additional algorithms, for example, SHA1withRSA. We
can verify BC provider first and use it for further jar verifications.

Thanks,
Stepan Mishura
Intel Middleware Products Division



On 2/10/06, George Harley <george.c.harley@googlemail.com> wrote:
>
> Hi Tim,
>
> In order to verify the signature of those signed provider jars I believe
> that you would also need trusted implementations of :
>
> * SHA-1 and MD5 digest algorithms
> * DSA and RSA signature algorithms
>
>
> Best regards,
> George
> IBM UK
>
>
> Tim Ellison wrote:
> > Stepan Mishura wrote:
> > <snip>
> >
> >> Returning back to the 'missing post'. I agreed with suggestion but
> currently
> >> we don't have Harmony provider so we should define how we locate
> 'trusted
> >> provides' to be secure.
> >>
> >
> > We just need a trusted SHA1PRNG, right? then we can open signed
> > providers' jars and get any others.
> >
> > Regards,
> > Tim
> >
> >
>
>


--

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message