harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikhail Loenko <mloe...@gmail.com>
Subject Re: verifying signed jars
Date Mon, 13 Feb 2006 05:36:11 GMT
How will it solve our problem with verifying signed jars?

Thanks,
Mikhail

On 2/13/06, Richard Liang <richard.liangyx@gmail.com> wrote:
> That's a good idea :-)
>
> Richard Liang
> China Software Development Lab, IBM
>
>
>
> Tim Ellison wrote:
> > Why not contribute directly to BouncyCastle?
> >
> > Regards,
> > Tim
> >
> > Mikhail Loenko wrote:
> >
> >> The sources would be good - we would be able to fix bugs quickly and replace
> >> parts of implementation for example where our code is faster.
> >>
> >> Thanks,
> >> Mikhail
> >>
> >> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> >>
> >>> Heh.  Everything we will do is legal :)
> >>>
> >>> The point is - would taking some source from BC be the smart thing to do
> >>> - would it be complete, and what kind of maintenance burden would this
> >>> be going forward?  Would some kind of re-packaged artifact from the BC
> >>> project itself be better?
> >>>
> >>> Do we need source?  Could we have a step where we re-package BC code in
> >>> a form more suited for our purposes?
> >>>
> >>> geir
> >>>
> >>> Mikhail Loenko wrote:
> >>>
> >>>> We can if it is legal
> >>>>
> >>>> Thanks,
> >>>> Mikhail
> >>>>
> >>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> >>>>
> >>>>> So I'll ask the obvious - can we borrow some of this from BC?
> >>>>>
> >>>>> Stepan Mishura wrote:
> >>>>>
> >>>>>> We should have at least to verify BC provider:
> >>>>>> 1) Message digest algorithm: SHA-1
> >>>>>> 2) Signature algorithm: SHA1withDSA
> >>>>>>
> >>>>>> Other jars may require additional algorithms, for example, SHA1withRSA.
We
> >>>>>> can verify BC provider first and use it for further jar verifications.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Stepan Mishura
> >>>>>> Intel Middleware Products Division
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 2/10/06, George Harley <george.c.harley@googlemail.com>
wrote:
> >>>>>>
> >>>>>>> Hi Tim,
> >>>>>>>
> >>>>>>> In order to verify the signature of those signed provider
jars I believe
> >>>>>>> that you would also need trusted implementations of :
> >>>>>>>
> >>>>>>> * SHA-1 and MD5 digest algorithms
> >>>>>>> * DSA and RSA signature algorithms
> >>>>>>>
> >>>>>>>
> >>>>>>> Best regards,
> >>>>>>> George
> >>>>>>> IBM UK
> >>>>>>>
> >>>>>>>
> >>>>>>> Tim Ellison wrote:
> >>>>>>>
> >>>>>>>> Stepan Mishura wrote:
> >>>>>>>> <snip>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Returning back to the 'missing post'. I agreed with
suggestion but
> >>>>>>>>>
> >>>>>>> currently
> >>>>>>>
> >>>>>>>>> we don't have Harmony provider so we should define
how we locate
> >>>>>>>>>
> >>>>>>> 'trusted
> >>>>>>>
> >>>>>>>>> provides' to be secure.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> We just need a trusted SHA1PRNG, right? then we can
open signed
> >>>>>>>> providers' jars and get any others.
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Tim
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>> --
> >>>>>>
> >>>>>>
> >
> >
>
>

Mime
View raw message