logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stockwell, Ted" <ted.stockw...@xqsite.com>
Subject RE: need signed version of log4j.jar...
Date Thu, 11 Jan 2001 16:15:38 GMT
y'know...I'm now thinking that you're correct, that I should sign all the
jars myself.

It seemed to me that signing the log4j.jar myself was somehow
misrepresenting myself as the author/owner of the log4j.jar.
I guess I should instead think of the act of signing a jar file as just
vouching for the jar file's trustworthiness.  

Therefore, I withdraw my request for signed jar files. 

Thanks for the clarification,

ted

> -----Original Message-----
> From: Tom Palmer [mailto:tom.palmer@interpath.net]
> 
> 
> Ted -
> 
> Seems like signing the jar file yourself *is* the right solution since
> you can sign all your jars with the same key - one that you 
> control and
> provide to your clients for installation and permission 
> granting.  What
> are we missing?
> 
> Ceki Gulcu wrote:
> > 
> > Ted,
> > 
> > The act of signing is not a problem. However, wouldn't the 
> public signer's
> > key need to be registered somewhere? Otherwise Ali could 
> claim to be Ahmet.
> > What is Java's security model? Is something signed deemed 
> good as long as
> > it is signed regardless of who the identity of the signed? 
> That would be
> > pretty silly.
> > 
> > My question is really do I (or Apache) need to register 
> with some CA? Any
> > enlightenment on this issue would be appreciated. Ceki
> > 
> > At 16:43 10.01.2001 -0600, you wrote:
> > >Hi,
> > >
> > >Since this is my first post to the log4j list I would 
> first like to say
> > >THANK YOU for making this tool available.  It is very fine work.
> > >
> > >Basically, this post is a request that you distribute 
> digitally signed
> > >versions of log4j.jar and log4j-core.jar.
> > >
> > >Here's why...
> > >I have just started using Log4J in an application that I intend to
> > >distribute using Java Web Start 
> (http://java.sun.com/products/javawebstart).
> > >
> > >Java Web Start basically downloads applications to a 
> client machine and runs
> > >the applications in a sandbox, much like a browser runs applets.
> > >My application is distributed in a signed jar and because 
> my application's
> > >jar is signed my application can request that it be given 
> all permissions on
> > >the client machine on which it is running.
> > >Third-party "extensions" that are used by my application, 
> like log4j, may
> > >inherit my application's permissions but only if the code 
> is signed.  Since
> > >the log4j.jar is not signed it is not granted any 
> permissions at all by Java
> > >WebStart and is therefore unusable (log4j immediately generates the
> > >Exception shown below).
> > >

Mime
View raw message