xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jake Repp <Ja...@Ingeniux.com>
Subject RE: Signing Apache XML Projects' code
Date Tue, 10 Apr 2001 18:58:54 GMT
Would it be possible to extract all of your jar files into a common
directory (your signed applet, xerces and xalan) after which you can jar
them all into single archive which you would then sign with your companies
certificate? This way you are saying, "I am representing the validity of
this applet and the libraries being used by it". There shouldn't be any
legal issues with this, and it might take awhile before apache foundation
can supply signed jar files.

-Jake Repp

-----Original Message-----
From: Shane_Curcuru@lotus.com [mailto:Shane_Curcuru@lotus.com]
Sent: Tuesday, April 10, 2001 8:59 AM
To: general@xml.apache.org
Cc: kjalbert@software.rockwell.com
Subject: Re: Signing Apache XML Projects' code

Hmmm - interesting question.  While many apache projects sign their
distribution, there are a number of other technical and legal issues about
signing the jars.  Perhaps someone could refresh me on what the technical
things were? (or were those just with the sealed jars, that some people
like and some can't use?)

Legally, I'm not sure how we'd get a Thawte RSA certificate.
Basically, the Apache Software Foundation
http://www.apache.org/foundation/  is a U.S. corporation (now officially
non-profit by the IRS, too!) that exists to provide a legal base and shield
for the code that we all donate to Apache.  The board of directors (made up
of Apache 'members' http://www.apache.org/foundation/members.html ) is
probably the only people who can either make legal agreements on behalf of
Apache, or can actually spend money on behalf of Apache.

So in some ways, it's really a members decision to think about buying
official 'Apache' certificates.  I know there are a bunch of people in the
webserver realm who are thinking about a more standardized way to sign code
at Apache, but I'm not sure of the status.  One issue would obviously be
language-based: signing .jar files is different than signing whole
distribution units or C/C++ binary files, etc.

The other option might be for a specific PMC or Apache subproject to get
someone to donate the cash to buy a license for that particular group, but
I haven't heard of anyone trying that yet.  Again, if there's any sort of
legal responsibility that holding the certificate means, I'm not sure how
that'd work vis-a-vis all us volunteers and the ASF itself.

Sorry this doesn't sound like much of an answer, but like licensing issues,
there are a bunch of little details that make a difference.  One thing that
could help is if you could briefly describe your organizations experiences
at actualling getting and using one of these certificates, and other common
usage cases of them - that way you can help educate this xml.apache.org
community on the issue, so we can start to think about code signing in a
more concrete way.

Thanks for the note!
- Shane

---- you "Albert, Kevin" <kjalbert@software.rockwell.com> wrote ----
> I have developed an applet using JDK 2 version 1.3, and have signed its
jar using an RSA certificate from Thawte that was purchased by my employer.
> When this signed applet is loaded by the JDK 2 Plug-In, the user is given
the option of granting permissions to the applet by the Plug-In's security
dialog.  This allows me to distribute the applet without requiring
end-users to configure a policy file for the applet.

> This is all great, except that I am also using the Apache Xerces and
Xalan jar files from the applet.  These jars are loaded via the HTML object
tag's archive parameter.  When Xerces or Xalan has to go outside of the
Plug-In's "sandbox", permission denied exceptions occur because these jars
are not signed.

> I am wondering if the Apache XML Project has an RSA certificate that can
be used to sign the Xerces and Xalan jar files.  I would REALLY prefer not
to require that all of my end-users configure a policy file so the Xerces
and Xalan jars can be trusted.

> Thanks in advance,
> Kevin Albert

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message