harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikhail Loenko <mloe...@gmail.com>
Subject Re: verifying signed jars
Date Fri, 10 Feb 2006 16:59:33 GMT
The sources would be good - we would be able to fix bugs quickly and replace
parts of implementation for example where our code is faster.

Thanks,
Mikhail

On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> Heh.  Everything we will do is legal :)
>
> The point is - would taking some source from BC be the smart thing to do
> - would it be complete, and what kind of maintenance burden would this
> be going forward?  Would some kind of re-packaged artifact from the BC
> project itself be better?
>
> Do we need source?  Could we have a step where we re-package BC code in
> a form more suited for our purposes?
>
> geir
>
> Mikhail Loenko wrote:
> > We can if it is legal
> >
> > Thanks,
> > Mikhail
> >
> > On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> >> So I'll ask the obvious - can we borrow some of this from BC?
> >>
> >> Stepan Mishura wrote:
> >>> We should have at least to verify BC provider:
> >>> 1) Message digest algorithm: SHA-1
> >>> 2) Signature algorithm: SHA1withDSA
> >>>
> >>> Other jars may require additional algorithms, for example, SHA1withRSA.
We
> >>> can verify BC provider first and use it for further jar verifications.
> >>>
> >>> Thanks,
> >>> Stepan Mishura
> >>> Intel Middleware Products Division
> >>>
> >>>
> >>>
> >>> On 2/10/06, George Harley <george.c.harley@googlemail.com> wrote:
> >>>> Hi Tim,
> >>>>
> >>>> In order to verify the signature of those signed provider jars I believe
> >>>> that you would also need trusted implementations of :
> >>>>
> >>>> * SHA-1 and MD5 digest algorithms
> >>>> * DSA and RSA signature algorithms
> >>>>
> >>>>
> >>>> Best regards,
> >>>> George
> >>>> IBM UK
> >>>>
> >>>>
> >>>> Tim Ellison wrote:
> >>>>> Stepan Mishura wrote:
> >>>>> <snip>
> >>>>>
> >>>>>> Returning back to the 'missing post'. I agreed with suggestion
but
> >>>> currently
> >>>>>> we don't have Harmony provider so we should define how we locate
> >>>> 'trusted
> >>>>>> provides' to be secure.
> >>>>>>
> >>>>> We just need a trusted SHA1PRNG, right? then we can open signed
> >>>>> providers' jars and get any others.
> >>>>>
> >>>>> Regards,
> >>>>> Tim
> >>>>>
> >>>>>
> >>>
> >>> --
> >>>
> >
> >
>

Mime
View raw message