xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelly Campbell <c...@channelpoint.com>
Subject RE: Signing Apache XML Projects' code
Date Tue, 10 Apr 2001 17:45:21 GMT
One potential problem is you need to have access to the private key for
signing. So whoever builds the distributions would need trusted access to
the key, and it would have to be well protected. Keys signed by an authority
like Thawte or Verisign usually cost a couple hundred dollars, and must be
renewed annually.

There's really nothing to keep indivual companies from repackaging the
xerces or xalan jars and signing them with their own certificates for doing
applets. I think this is probably an ok alternative if you need signed jars.
I personally repackage the xerces jar anyway just to compress it. I'm not
sure why the default distribution doesn't compress the jar right now, other
than the obvious performance hit during classloading. I haven't found this
performance hit to be that bad though.

On the jar sealing issue, I don't think we should do that as it seems like
it's against the whole idea of opensource software where you can use just
about anything in the code you want (at your own risk of course).

-Kelly

> -----Original Message-----
> From: Shane_Curcuru@lotus.com [mailto:Shane_Curcuru@lotus.com]
> Sent: Tuesday, April 10, 2001 9:59 AM
> To: general@xml.apache.org
> Cc: kjalbert@software.rockwell.com
> Subject: Re: Signing Apache XML Projects' code
> 
> 
> 
> Hmmm - interesting question.  While many apache projects sign their
> distribution, there are a number of other technical and legal 
> issues about
> signing the jars.  Perhaps someone could refresh me on what 
> the technical
> things were? (or were those just with the sealed jars, that 
> some people
> like and some can't use?)
> 
> Legally, I'm not sure how we'd get a Thawte RSA certificate.
> <i-am-not-a-lawyer>
> Basically, the Apache Software Foundation
> http://www.apache.org/foundation/  is a U.S. corporation (now 
> officially
> non-profit by the IRS, too!) that exists to provide a legal 
> base and shield
> for the code that we all donate to Apache.  The board of 
> directors (made up
> of Apache 'members' http://www.apache.org/foundation/members.html ) is
> probably the only people who can either make legal agreements 
> on behalf of
> Apache, or can actually spend money on behalf of Apache.
> 
> So in some ways, it's really a members decision to think about buying
> official 'Apache' certificates.  I know there are a bunch of 
> people in the
> webserver realm who are thinking about a more standardized 
> way to sign code
> at Apache, but I'm not sure of the status.  One issue would 
> obviously be
> language-based: signing .jar files is different than signing whole
> distribution units or C/C++ binary files, etc.
> 
> The other option might be for a specific PMC or Apache 
> subproject to get
> someone to donate the cash to buy a license for that 
> particular group, but
> I haven't heard of anyone trying that yet.  Again, if there's 
> any sort of
> legal responsibility that holding the certificate means, I'm 
> not sure how
> that'd work vis-a-vis all us volunteers and the ASF itself.
> </i-am-not-a-lawyer>
> 
> Sorry this doesn't sound like much of an answer, but like 
> licensing issues,
> there are a bunch of little details that make a difference.  
> One thing that
> could help is if you could briefly describe your 
> organizations experiences
> at actualling getting and using one of these certificates, 
> and other common
> usage cases of them - that way you can help educate this 
> xml.apache.org
> community on the issue, so we can start to think about code 
> signing in a
> more concrete way.
> 
> Thanks for the note!
> - Shane
> 
> ---- you "Albert, Kevin" <kjalbert@software.rockwell.com> wrote ----
> > I have developed an applet using JDK 2 version 1.3, and 
> have signed its
> jar using an RSA certificate from Thawte that was purchased 
> by my employer.
> > When this signed applet is loaded by the JDK 2 Plug-In, the 
> user is given
> the option of granting permissions to the applet by the 
> Plug-In's security
> dialog.  This allows me to distribute the applet without requiring
> end-users to configure a policy file for the applet.
> 
> > This is all great, except that I am also using the Apache Xerces and
> Xalan jar files from the applet.  These jars are loaded via 
> the HTML object
> tag's archive parameter.  When Xerces or Xalan has to go 
> outside of the
> Plug-In's "sandbox", permission denied exceptions occur 
> because these jars
> are not signed.
> 
> > I am wondering if the Apache XML Project has an RSA 
> certificate that can
> be used to sign the Xerces and Xalan jar files.  I would 
> REALLY prefer not
> to require that all of my end-users configure a policy file 
> so the Xerces
> and Xalan jars can be trusted.
> 
> > Thanks in advance,
> > Kevin Albert
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> In case of troubles, e-mail:     webmaster@xml.apache.org
> To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
> 

---------------------------------------------------------------------
In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org


Mime
View raw message