xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shane_Curc...@lotus.com
Subject Re: Signing Apache XML Projects' code
Date Tue, 10 Apr 2001 15:59:14 GMT

Hmmm - interesting question.  While many apache projects sign their
distribution, there are a number of other technical and legal issues about
signing the jars.  Perhaps someone could refresh me on what the technical
things were? (or were those just with the sealed jars, that some people
like and some can't use?)

Legally, I'm not sure how we'd get a Thawte RSA certificate.
Basically, the Apache Software Foundation
http://www.apache.org/foundation/  is a U.S. corporation (now officially
non-profit by the IRS, too!) that exists to provide a legal base and shield
for the code that we all donate to Apache.  The board of directors (made up
of Apache 'members' http://www.apache.org/foundation/members.html ) is
probably the only people who can either make legal agreements on behalf of
Apache, or can actually spend money on behalf of Apache.

So in some ways, it's really a members decision to think about buying
official 'Apache' certificates.  I know there are a bunch of people in the
webserver realm who are thinking about a more standardized way to sign code
at Apache, but I'm not sure of the status.  One issue would obviously be
language-based: signing .jar files is different than signing whole
distribution units or C/C++ binary files, etc.

The other option might be for a specific PMC or Apache subproject to get
someone to donate the cash to buy a license for that particular group, but
I haven't heard of anyone trying that yet.  Again, if there's any sort of
legal responsibility that holding the certificate means, I'm not sure how
that'd work vis-a-vis all us volunteers and the ASF itself.

Sorry this doesn't sound like much of an answer, but like licensing issues,
there are a bunch of little details that make a difference.  One thing that
could help is if you could briefly describe your organizations experiences
at actualling getting and using one of these certificates, and other common
usage cases of them - that way you can help educate this xml.apache.org
community on the issue, so we can start to think about code signing in a
more concrete way.

Thanks for the note!
- Shane

---- you "Albert, Kevin" <kjalbert@software.rockwell.com> wrote ----
> I have developed an applet using JDK 2 version 1.3, and have signed its
jar using an RSA certificate from Thawte that was purchased by my employer.
> When this signed applet is loaded by the JDK 2 Plug-In, the user is given
the option of granting permissions to the applet by the Plug-In's security
dialog.  This allows me to distribute the applet without requiring
end-users to configure a policy file for the applet.

> This is all great, except that I am also using the Apache Xerces and
Xalan jar files from the applet.  These jars are loaded via the HTML object
tag's archive parameter.  When Xerces or Xalan has to go outside of the
Plug-In's "sandbox", permission denied exceptions occur because these jars
are not signed.

> I am wondering if the Apache XML Project has an RSA certificate that can
be used to sign the Xerces and Xalan jar files.  I would REALLY prefer not
to require that all of my end-users configure a policy file so the Xerces
and Xalan jars can be trusted.

> Thanks in advance,
> Kevin Albert

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message