harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikhail Loenko <mloe...@gmail.com>
Subject Re: verifying signed jars
Date Mon, 13 Feb 2006 10:41:25 GMT
Well, we can start with binaries and if we strike a snag will see

Thanks,
Mikhail

On 2/13/06, Tim Ellison <t.p.ellison@gmail.com> wrote:
> My comment was directed towards:
>
> Mikhail Loenko wrote: "The sources would be good - we would be able to
> fix bugs quickly and replace parts of implementation for example where
> our code is faster."
>
> i.e. why not fix bugs and make it go faster for everyone -- no need to fork.
>
> Regards,
> Tim
>
> Mikhail Loenko wrote:
> > How will it solve our problem with verifying signed jars?
> >
> > Thanks,
> > Mikhail
> >
> > On 2/13/06, Richard Liang <richard.liangyx@gmail.com> wrote:
> >> That's a good idea :-)
> >>
> >> Richard Liang
> >> China Software Development Lab, IBM
> >>
> >>
> >>
> >> Tim Ellison wrote:
> >>> Why not contribute directly to BouncyCastle?
> >>>
> >>> Regards,
> >>> Tim
> >>>
> >>> Mikhail Loenko wrote:
> >>>
> >>>> The sources would be good - we would be able to fix bugs quickly and
replace
> >>>> parts of implementation for example where our code is faster.
> >>>>
> >>>> Thanks,
> >>>> Mikhail
> >>>>
> >>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> >>>>
> >>>>> Heh.  Everything we will do is legal :)
> >>>>>
> >>>>> The point is - would taking some source from BC be the smart thing
to do
> >>>>> - would it be complete, and what kind of maintenance burden would
this
> >>>>> be going forward?  Would some kind of re-packaged artifact from
the BC
> >>>>> project itself be better?
> >>>>>
> >>>>> Do we need source?  Could we have a step where we re-package BC
code in
> >>>>> a form more suited for our purposes?
> >>>>>
> >>>>> geir
> >>>>>
> >>>>> Mikhail Loenko wrote:
> >>>>>
> >>>>>> We can if it is legal
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Mikhail
> >>>>>>
> >>>>>> On 2/10/06, Geir Magnusson Jr <geir@pobox.com> wrote:
> >>>>>>
> >>>>>>> So I'll ask the obvious - can we borrow some of this from
BC?
> >>>>>>>
> >>>>>>> Stepan Mishura wrote:
> >>>>>>>
> >>>>>>>> We should have at least to verify BC provider:
> >>>>>>>> 1) Message digest algorithm: SHA-1
> >>>>>>>> 2) Signature algorithm: SHA1withDSA
> >>>>>>>>
> >>>>>>>> Other jars may require additional algorithms, for example,
SHA1withRSA. We
> >>>>>>>> can verify BC provider first and use it for further
jar verifications.
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>> Stepan Mishura
> >>>>>>>> Intel Middleware Products Division
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 2/10/06, George Harley <george.c.harley@googlemail.com>
wrote:
> >>>>>>>>
> >>>>>>>>> Hi Tim,
> >>>>>>>>>
> >>>>>>>>> In order to verify the signature of those signed
provider jars I believe
> >>>>>>>>> that you would also need trusted implementations
of :
> >>>>>>>>>
> >>>>>>>>> * SHA-1 and MD5 digest algorithms
> >>>>>>>>> * DSA and RSA signature algorithms
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Best regards,
> >>>>>>>>> George
> >>>>>>>>> IBM UK
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Tim Ellison wrote:
> >>>>>>>>>
> >>>>>>>>>> Stepan Mishura wrote:
> >>>>>>>>>> <snip>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> Returning back to the 'missing post'. I
agreed with suggestion but
> >>>>>>>>>>>
> >>>>>>>>> currently
> >>>>>>>>>
> >>>>>>>>>>> we don't have Harmony provider so we should
define how we locate
> >>>>>>>>>>>
> >>>>>>>>> 'trusted
> >>>>>>>>>
> >>>>>>>>>>> provides' to be secure.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> We just need a trusted SHA1PRNG, right? then
we can open signed
> >>>>>>>>>> providers' jars and get any others.
> >>>>>>>>>>
> >>>>>>>>>> Regards,
> >>>>>>>>>> Tim
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>> --
> >>>>>>>>
> >>>>>>>>
> >>>
> >>
> >
>
> --
>
> Tim Ellison (t.p.ellison@gmail.com)
> IBM Java technology centre, UK.
>

Mime
View raw message