river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Blackman <tim.black...@gmail.com>
Subject Re: Jini Spec API changes - ServiceRegistrar AND OR <> Entry comparison Filtering
Date Thu, 29 Apr 2010 20:25:34 GMT
On Apr 29, 2010, at 3:23 PM, Gregg Wonderly wrote:

> Peter Firmstone wrote:
>> I don't know how to enable the Service to specify a constraint on the signer of the
downloaded codebase if not originating from the service, any ideas?
> 
> The HTTPMD protocol handler (URLStreamHandler) does this by requiring that you know the
MD5 sum of the jar that you want to download.  If you try and download the jar, and the sum
is different, you can know that the content is not what you originally knew it to be.
> 
> Not directly signing, but a mechanism that is similar and provides a fairly secured indication
of "source" based on what you knew at the moment you acquired the MD5 sum.

As long as you use a strong enough message digest -- SHA-1 or something still stronger would
be better choices these days now that the safety of MD5 is uncertain -- the security of HTTPMD
is just as good as that of code signing.

- Tim
Mime
View raw message