Return-Path: Delivered-To: apmail-incubator-harmony-dev-archive@www.apache.org Received: (qmail 73913 invoked from network); 13 Feb 2006 10:32:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 13 Feb 2006 10:32:12 -0000 Received: (qmail 22213 invoked by uid 500); 13 Feb 2006 10:32:04 -0000 Delivered-To: apmail-incubator-harmony-dev-archive@incubator.apache.org Received: (qmail 22109 invoked by uid 500); 13 Feb 2006 10:32:04 -0000 Mailing-List: contact harmony-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: harmony-dev@incubator.apache.org Delivered-To: mailing list harmony-dev@incubator.apache.org Received: (qmail 22079 invoked by uid 99); 13 Feb 2006 10:32:04 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2006 02:32:04 -0800 X-ASF-Spam-Status: No, hits=3.9 required=10.0 tests=RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: 217.158.94.220 is neither permitted nor denied by domain of t.p.ellison@gmail.com) Received: from [217.158.94.220] (HELO cirrus.purplecloud.com) (217.158.94.220) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2006 02:32:03 -0800 Received: (qmail 72489 invoked from network); 13 Feb 2006 10:31:41 +0000 Received: from blueice3n1.uk.ibm.com (HELO ?9.20.183.163?) (195.212.29.83) by smtp.purplecloud.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 13 Feb 2006 10:31:41 +0000 Message-ID: <43F06002.1030004@gmail.com> Date: Mon, 13 Feb 2006 10:31:30 +0000 From: Tim Ellison User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: harmony-dev@incubator.apache.org Subject: Re: verifying signed jars References: <43EB3119.8030801@gmail.com> <43EC604E.3040706@gmail.com> <43EC6F59.10603@googlemail.com> <6e47b64f0602100251p298009d1g24cb83768f039ccc@mail.gmail.com> <43EC879F.2040305@pobox.com> <906dd82e0602100448p7cb906eaq9b4269d1c23626e1@mail.gmail.com> <43EC9EEE.4080509@pobox.com> <906dd82e0602100859l28cc5779q42e9dec1947bea2b@mail.gmail.com> <43ED0288.3060706@gmail.com> <43F002B4.8060401@gmail.com> <906dd82e0602122136g1397559ehd6695de26f81b8dd@mail.gmail.com> In-Reply-To: <906dd82e0602122136g1397559ehd6695de26f81b8dd@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N My comment was directed towards: Mikhail Loenko wrote: "The sources would be good - we would be able to fix bugs quickly and replace parts of implementation for example where our code is faster." i.e. why not fix bugs and make it go faster for everyone -- no need to fork. Regards, Tim Mikhail Loenko wrote: > How will it solve our problem with verifying signed jars? > > Thanks, > Mikhail > > On 2/13/06, Richard Liang wrote: >> That's a good idea :-) >> >> Richard Liang >> China Software Development Lab, IBM >> >> >> >> Tim Ellison wrote: >>> Why not contribute directly to BouncyCastle? >>> >>> Regards, >>> Tim >>> >>> Mikhail Loenko wrote: >>> >>>> The sources would be good - we would be able to fix bugs quickly and replace >>>> parts of implementation for example where our code is faster. >>>> >>>> Thanks, >>>> Mikhail >>>> >>>> On 2/10/06, Geir Magnusson Jr wrote: >>>> >>>>> Heh. Everything we will do is legal :) >>>>> >>>>> The point is - would taking some source from BC be the smart thing to do >>>>> - would it be complete, and what kind of maintenance burden would this >>>>> be going forward? Would some kind of re-packaged artifact from the BC >>>>> project itself be better? >>>>> >>>>> Do we need source? Could we have a step where we re-package BC code in >>>>> a form more suited for our purposes? >>>>> >>>>> geir >>>>> >>>>> Mikhail Loenko wrote: >>>>> >>>>>> We can if it is legal >>>>>> >>>>>> Thanks, >>>>>> Mikhail >>>>>> >>>>>> On 2/10/06, Geir Magnusson Jr wrote: >>>>>> >>>>>>> So I'll ask the obvious - can we borrow some of this from BC? >>>>>>> >>>>>>> Stepan Mishura wrote: >>>>>>> >>>>>>>> We should have at least to verify BC provider: >>>>>>>> 1) Message digest algorithm: SHA-1 >>>>>>>> 2) Signature algorithm: SHA1withDSA >>>>>>>> >>>>>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We >>>>>>>> can verify BC provider first and use it for further jar verifications. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Stepan Mishura >>>>>>>> Intel Middleware Products Division >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 2/10/06, George Harley wrote: >>>>>>>> >>>>>>>>> Hi Tim, >>>>>>>>> >>>>>>>>> In order to verify the signature of those signed provider jars I believe >>>>>>>>> that you would also need trusted implementations of : >>>>>>>>> >>>>>>>>> * SHA-1 and MD5 digest algorithms >>>>>>>>> * DSA and RSA signature algorithms >>>>>>>>> >>>>>>>>> >>>>>>>>> Best regards, >>>>>>>>> George >>>>>>>>> IBM UK >>>>>>>>> >>>>>>>>> >>>>>>>>> Tim Ellison wrote: >>>>>>>>> >>>>>>>>>> Stepan Mishura wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but >>>>>>>>>>> >>>>>>>>> currently >>>>>>>>> >>>>>>>>>>> we don't have Harmony provider so we should define how we locate >>>>>>>>>>> >>>>>>>>> 'trusted >>>>>>>>> >>>>>>>>>>> provides' to be secure. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed >>>>>>>>>> providers' jars and get any others. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Tim >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> >>> >> > -- Tim Ellison (t.p.ellison@gmail.com) IBM Java technology centre, UK.