You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@harmony.apache.org by Tim Ellison <t....@gmail.com> on 2006/02/10 10:43:42 UTC
verifying signed jars (was: Re: FYI missing mail)
Stepan Mishura wrote:
<snip>
> Returning back to the 'missing post'. I agreed with suggestion but currently
> we don't have Harmony provider so we should define how we locate 'trusted
> provides' to be secure.
We just need a trusted SHA1PRNG, right? then we can open signed
providers' jars and get any others.
Regards,
Tim
--
Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.
Re: verifying signed jars
Posted by Davanum Srinivas <da...@gmail.com>.
Folks,
FYI, we are going take some code from BC in juice project. Check [1]
for more info.
thanks,
dims
[1] http://mail-archives.apache.org/mod_mbox/xml-juice-dev/200601.mbox/%3C43CE5A15.6030202@t-online.de%3E
On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> Heh. Everything we will do is legal :)
>
> The point is - would taking some source from BC be the smart thing to do
> - would it be complete, and what kind of maintenance burden would this
> be going forward? Would some kind of re-packaged artifact from the BC
> project itself be better?
>
> Do we need source? Could we have a step where we re-package BC code in
> a form more suited for our purposes?
>
> geir
>
> Mikhail Loenko wrote:
> > We can if it is legal
> >
> > Thanks,
> > Mikhail
> >
> > On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> >> So I'll ask the obvious - can we borrow some of this from BC?
> >>
> >> Stepan Mishura wrote:
> >>> We should have at least to verify BC provider:
> >>> 1) Message digest algorithm: SHA-1
> >>> 2) Signature algorithm: SHA1withDSA
> >>>
> >>> Other jars may require additional algorithms, for example, SHA1withRSA. We
> >>> can verify BC provider first and use it for further jar verifications.
> >>>
> >>> Thanks,
> >>> Stepan Mishura
> >>> Intel Middleware Products Division
> >>>
> >>>
> >>>
> >>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
> >>>> Hi Tim,
> >>>>
> >>>> In order to verify the signature of those signed provider jars I believe
> >>>> that you would also need trusted implementations of :
> >>>>
> >>>> * SHA-1 and MD5 digest algorithms
> >>>> * DSA and RSA signature algorithms
> >>>>
> >>>>
> >>>> Best regards,
> >>>> George
> >>>> IBM UK
> >>>>
> >>>>
> >>>> Tim Ellison wrote:
> >>>>> Stepan Mishura wrote:
> >>>>> <snip>
> >>>>>
> >>>>>> Returning back to the 'missing post'. I agreed with suggestion but
> >>>> currently
> >>>>>> we don't have Harmony provider so we should define how we locate
> >>>> 'trusted
> >>>>>> provides' to be secure.
> >>>>>>
> >>>>> We just need a trusted SHA1PRNG, right? then we can open signed
> >>>>> providers' jars and get any others.
> >>>>>
> >>>>> Regards,
> >>>>> Tim
> >>>>>
> >>>>>
> >>>
> >>> --
> >>>
> >
> >
>
--
Davanum Srinivas : http://wso2.com/blogs/
Re: verifying signed jars
Posted by Mikhail Loenko <ml...@gmail.com>.
Well, we can start with binaries and if we strike a snag will see
Thanks,
Mikhail
On 2/13/06, Tim Ellison <t....@gmail.com> wrote:
> My comment was directed towards:
>
> Mikhail Loenko wrote: "The sources would be good - we would be able to
> fix bugs quickly and replace parts of implementation for example where
> our code is faster."
>
> i.e. why not fix bugs and make it go faster for everyone -- no need to fork.
>
> Regards,
> Tim
>
> Mikhail Loenko wrote:
> > How will it solve our problem with verifying signed jars?
> >
> > Thanks,
> > Mikhail
> >
> > On 2/13/06, Richard Liang <ri...@gmail.com> wrote:
> >> That's a good idea :-)
> >>
> >> Richard Liang
> >> China Software Development Lab, IBM
> >>
> >>
> >>
> >> Tim Ellison wrote:
> >>> Why not contribute directly to BouncyCastle?
> >>>
> >>> Regards,
> >>> Tim
> >>>
> >>> Mikhail Loenko wrote:
> >>>
> >>>> The sources would be good - we would be able to fix bugs quickly and replace
> >>>> parts of implementation for example where our code is faster.
> >>>>
> >>>> Thanks,
> >>>> Mikhail
> >>>>
> >>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> >>>>
> >>>>> Heh. Everything we will do is legal :)
> >>>>>
> >>>>> The point is - would taking some source from BC be the smart thing to do
> >>>>> - would it be complete, and what kind of maintenance burden would this
> >>>>> be going forward? Would some kind of re-packaged artifact from the BC
> >>>>> project itself be better?
> >>>>>
> >>>>> Do we need source? Could we have a step where we re-package BC code in
> >>>>> a form more suited for our purposes?
> >>>>>
> >>>>> geir
> >>>>>
> >>>>> Mikhail Loenko wrote:
> >>>>>
> >>>>>> We can if it is legal
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Mikhail
> >>>>>>
> >>>>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> >>>>>>
> >>>>>>> So I'll ask the obvious - can we borrow some of this from BC?
> >>>>>>>
> >>>>>>> Stepan Mishura wrote:
> >>>>>>>
> >>>>>>>> We should have at least to verify BC provider:
> >>>>>>>> 1) Message digest algorithm: SHA-1
> >>>>>>>> 2) Signature algorithm: SHA1withDSA
> >>>>>>>>
> >>>>>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We
> >>>>>>>> can verify BC provider first and use it for further jar verifications.
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>> Stepan Mishura
> >>>>>>>> Intel Middleware Products Division
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hi Tim,
> >>>>>>>>>
> >>>>>>>>> In order to verify the signature of those signed provider jars I believe
> >>>>>>>>> that you would also need trusted implementations of :
> >>>>>>>>>
> >>>>>>>>> * SHA-1 and MD5 digest algorithms
> >>>>>>>>> * DSA and RSA signature algorithms
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Best regards,
> >>>>>>>>> George
> >>>>>>>>> IBM UK
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Tim Ellison wrote:
> >>>>>>>>>
> >>>>>>>>>> Stepan Mishura wrote:
> >>>>>>>>>> <snip>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but
> >>>>>>>>>>>
> >>>>>>>>> currently
> >>>>>>>>>
> >>>>>>>>>>> we don't have Harmony provider so we should define how we locate
> >>>>>>>>>>>
> >>>>>>>>> 'trusted
> >>>>>>>>>
> >>>>>>>>>>> provides' to be secure.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
> >>>>>>>>>> providers' jars and get any others.
> >>>>>>>>>>
> >>>>>>>>>> Regards,
> >>>>>>>>>> Tim
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>> --
> >>>>>>>>
> >>>>>>>>
> >>>
> >>
> >
>
> --
>
> Tim Ellison (t.p.ellison@gmail.com)
> IBM Java technology centre, UK.
>
Re: verifying signed jars
Posted by Richard Liang <ri...@gmail.com>.
Hello Mikhail Loenko,
:-) I'm just wondering whether it's possible to change/improve
BouncyCastle to meet our requirement.
Richard Liang
China Software Development Lab, IBM
Mikhail Loenko wrote:
> How will it solve our problem with verifying signed jars?
>
> Thanks,
> Mikhail
>
> On 2/13/06, Richard Liang <ri...@gmail.com> wrote:
>
>> That's a good idea :-)
>>
>> Richard Liang
>> China Software Development Lab, IBM
>>
>>
>>
>> Tim Ellison wrote:
>>
>>> Why not contribute directly to BouncyCastle?
>>>
>>> Regards,
>>> Tim
>>>
>>> Mikhail Loenko wrote:
>>>
>>>
>>>> The sources would be good - we would be able to fix bugs quickly and replace
>>>> parts of implementation for example where our code is faster.
>>>>
>>>> Thanks,
>>>> Mikhail
>>>>
>>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>>>>
>>>>
>>>>> Heh. Everything we will do is legal :)
>>>>>
>>>>> The point is - would taking some source from BC be the smart thing to do
>>>>> - would it be complete, and what kind of maintenance burden would this
>>>>> be going forward? Would some kind of re-packaged artifact from the BC
>>>>> project itself be better?
>>>>>
>>>>> Do we need source? Could we have a step where we re-package BC code in
>>>>> a form more suited for our purposes?
>>>>>
>>>>> geir
>>>>>
>>>>> Mikhail Loenko wrote:
>>>>>
>>>>>
>>>>>> We can if it is legal
>>>>>>
>>>>>> Thanks,
>>>>>> Mikhail
>>>>>>
>>>>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>>>>>>
>>>>>>
>>>>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>>>>
>>>>>>> Stepan Mishura wrote:
>>>>>>>
>>>>>>>
>>>>>>>> We should have at least to verify BC provider:
>>>>>>>> 1) Message digest algorithm: SHA-1
>>>>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>>>>
>>>>>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We
>>>>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Stepan Mishura
>>>>>>>> Intel Middleware Products Division
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Tim,
>>>>>>>>>
>>>>>>>>> In order to verify the signature of those signed provider jars I believe
>>>>>>>>> that you would also need trusted implementations of :
>>>>>>>>>
>>>>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>>>>> * DSA and RSA signature algorithms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> George
>>>>>>>>> IBM UK
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Tim Ellison wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Stepan Mishura wrote:
>>>>>>>>>> <snip>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> currently
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> we don't have Harmony provider so we should define how we locate
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> 'trusted
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> provides' to be secure.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>>>>>>>>> providers' jars and get any others.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Tim
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>
>>
>
>
Re: verifying signed jars
Posted by Tim Ellison <t....@gmail.com>.
My comment was directed towards:
Mikhail Loenko wrote: "The sources would be good - we would be able to
fix bugs quickly and replace parts of implementation for example where
our code is faster."
i.e. why not fix bugs and make it go faster for everyone -- no need to fork.
Regards,
Tim
Mikhail Loenko wrote:
> How will it solve our problem with verifying signed jars?
>
> Thanks,
> Mikhail
>
> On 2/13/06, Richard Liang <ri...@gmail.com> wrote:
>> That's a good idea :-)
>>
>> Richard Liang
>> China Software Development Lab, IBM
>>
>>
>>
>> Tim Ellison wrote:
>>> Why not contribute directly to BouncyCastle?
>>>
>>> Regards,
>>> Tim
>>>
>>> Mikhail Loenko wrote:
>>>
>>>> The sources would be good - we would be able to fix bugs quickly and replace
>>>> parts of implementation for example where our code is faster.
>>>>
>>>> Thanks,
>>>> Mikhail
>>>>
>>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>>>>
>>>>> Heh. Everything we will do is legal :)
>>>>>
>>>>> The point is - would taking some source from BC be the smart thing to do
>>>>> - would it be complete, and what kind of maintenance burden would this
>>>>> be going forward? Would some kind of re-packaged artifact from the BC
>>>>> project itself be better?
>>>>>
>>>>> Do we need source? Could we have a step where we re-package BC code in
>>>>> a form more suited for our purposes?
>>>>>
>>>>> geir
>>>>>
>>>>> Mikhail Loenko wrote:
>>>>>
>>>>>> We can if it is legal
>>>>>>
>>>>>> Thanks,
>>>>>> Mikhail
>>>>>>
>>>>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>>>>>>
>>>>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>>>>
>>>>>>> Stepan Mishura wrote:
>>>>>>>
>>>>>>>> We should have at least to verify BC provider:
>>>>>>>> 1) Message digest algorithm: SHA-1
>>>>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>>>>
>>>>>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We
>>>>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Stepan Mishura
>>>>>>>> Intel Middleware Products Division
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Tim,
>>>>>>>>>
>>>>>>>>> In order to verify the signature of those signed provider jars I believe
>>>>>>>>> that you would also need trusted implementations of :
>>>>>>>>>
>>>>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>>>>> * DSA and RSA signature algorithms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> George
>>>>>>>>> IBM UK
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Tim Ellison wrote:
>>>>>>>>>
>>>>>>>>>> Stepan Mishura wrote:
>>>>>>>>>> <snip>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but
>>>>>>>>>>>
>>>>>>>>> currently
>>>>>>>>>
>>>>>>>>>>> we don't have Harmony provider so we should define how we locate
>>>>>>>>>>>
>>>>>>>>> 'trusted
>>>>>>>>>
>>>>>>>>>>> provides' to be secure.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>>>>>>>>> providers' jars and get any others.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Tim
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>
>>>
>>
>
--
Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.
Re: verifying signed jars
Posted by Mikhail Loenko <ml...@gmail.com>.
How will it solve our problem with verifying signed jars?
Thanks,
Mikhail
On 2/13/06, Richard Liang <ri...@gmail.com> wrote:
> That's a good idea :-)
>
> Richard Liang
> China Software Development Lab, IBM
>
>
>
> Tim Ellison wrote:
> > Why not contribute directly to BouncyCastle?
> >
> > Regards,
> > Tim
> >
> > Mikhail Loenko wrote:
> >
> >> The sources would be good - we would be able to fix bugs quickly and replace
> >> parts of implementation for example where our code is faster.
> >>
> >> Thanks,
> >> Mikhail
> >>
> >> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> >>
> >>> Heh. Everything we will do is legal :)
> >>>
> >>> The point is - would taking some source from BC be the smart thing to do
> >>> - would it be complete, and what kind of maintenance burden would this
> >>> be going forward? Would some kind of re-packaged artifact from the BC
> >>> project itself be better?
> >>>
> >>> Do we need source? Could we have a step where we re-package BC code in
> >>> a form more suited for our purposes?
> >>>
> >>> geir
> >>>
> >>> Mikhail Loenko wrote:
> >>>
> >>>> We can if it is legal
> >>>>
> >>>> Thanks,
> >>>> Mikhail
> >>>>
> >>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> >>>>
> >>>>> So I'll ask the obvious - can we borrow some of this from BC?
> >>>>>
> >>>>> Stepan Mishura wrote:
> >>>>>
> >>>>>> We should have at least to verify BC provider:
> >>>>>> 1) Message digest algorithm: SHA-1
> >>>>>> 2) Signature algorithm: SHA1withDSA
> >>>>>>
> >>>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We
> >>>>>> can verify BC provider first and use it for further jar verifications.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Stepan Mishura
> >>>>>> Intel Middleware Products Division
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
> >>>>>>
> >>>>>>> Hi Tim,
> >>>>>>>
> >>>>>>> In order to verify the signature of those signed provider jars I believe
> >>>>>>> that you would also need trusted implementations of :
> >>>>>>>
> >>>>>>> * SHA-1 and MD5 digest algorithms
> >>>>>>> * DSA and RSA signature algorithms
> >>>>>>>
> >>>>>>>
> >>>>>>> Best regards,
> >>>>>>> George
> >>>>>>> IBM UK
> >>>>>>>
> >>>>>>>
> >>>>>>> Tim Ellison wrote:
> >>>>>>>
> >>>>>>>> Stepan Mishura wrote:
> >>>>>>>> <snip>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but
> >>>>>>>>>
> >>>>>>> currently
> >>>>>>>
> >>>>>>>>> we don't have Harmony provider so we should define how we locate
> >>>>>>>>>
> >>>>>>> 'trusted
> >>>>>>>
> >>>>>>>>> provides' to be secure.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
> >>>>>>>> providers' jars and get any others.
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Tim
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>> --
> >>>>>>
> >>>>>>
> >
> >
>
>
Re: verifying signed jars
Posted by Richard Liang <ri...@gmail.com>.
That's a good idea :-)
Richard Liang
China Software Development Lab, IBM
Tim Ellison wrote:
> Why not contribute directly to BouncyCastle?
>
> Regards,
> Tim
>
> Mikhail Loenko wrote:
>
>> The sources would be good - we would be able to fix bugs quickly and replace
>> parts of implementation for example where our code is faster.
>>
>> Thanks,
>> Mikhail
>>
>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>>
>>> Heh. Everything we will do is legal :)
>>>
>>> The point is - would taking some source from BC be the smart thing to do
>>> - would it be complete, and what kind of maintenance burden would this
>>> be going forward? Would some kind of re-packaged artifact from the BC
>>> project itself be better?
>>>
>>> Do we need source? Could we have a step where we re-package BC code in
>>> a form more suited for our purposes?
>>>
>>> geir
>>>
>>> Mikhail Loenko wrote:
>>>
>>>> We can if it is legal
>>>>
>>>> Thanks,
>>>> Mikhail
>>>>
>>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>>>>
>>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>>
>>>>> Stepan Mishura wrote:
>>>>>
>>>>>> We should have at least to verify BC provider:
>>>>>> 1) Message digest algorithm: SHA-1
>>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>>
>>>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We
>>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>>
>>>>>> Thanks,
>>>>>> Stepan Mishura
>>>>>> Intel Middleware Products Division
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>>>>>>
>>>>>>> Hi Tim,
>>>>>>>
>>>>>>> In order to verify the signature of those signed provider jars I believe
>>>>>>> that you would also need trusted implementations of :
>>>>>>>
>>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>>> * DSA and RSA signature algorithms
>>>>>>>
>>>>>>>
>>>>>>> Best regards,
>>>>>>> George
>>>>>>> IBM UK
>>>>>>>
>>>>>>>
>>>>>>> Tim Ellison wrote:
>>>>>>>
>>>>>>>> Stepan Mishura wrote:
>>>>>>>> <snip>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but
>>>>>>>>>
>>>>>>> currently
>>>>>>>
>>>>>>>>> we don't have Harmony provider so we should define how we locate
>>>>>>>>>
>>>>>>> 'trusted
>>>>>>>
>>>>>>>>> provides' to be secure.
>>>>>>>>>
>>>>>>>>>
>>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>>>>>>> providers' jars and get any others.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Tim
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>
>
Re: verifying signed jars
Posted by Tim Ellison <t....@gmail.com>.
Why not contribute directly to BouncyCastle?
Regards,
Tim
Mikhail Loenko wrote:
> The sources would be good - we would be able to fix bugs quickly and replace
> parts of implementation for example where our code is faster.
>
> Thanks,
> Mikhail
>
> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>> Heh. Everything we will do is legal :)
>>
>> The point is - would taking some source from BC be the smart thing to do
>> - would it be complete, and what kind of maintenance burden would this
>> be going forward? Would some kind of re-packaged artifact from the BC
>> project itself be better?
>>
>> Do we need source? Could we have a step where we re-package BC code in
>> a form more suited for our purposes?
>>
>> geir
>>
>> Mikhail Loenko wrote:
>>> We can if it is legal
>>>
>>> Thanks,
>>> Mikhail
>>>
>>> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>>>> So I'll ask the obvious - can we borrow some of this from BC?
>>>>
>>>> Stepan Mishura wrote:
>>>>> We should have at least to verify BC provider:
>>>>> 1) Message digest algorithm: SHA-1
>>>>> 2) Signature algorithm: SHA1withDSA
>>>>>
>>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We
>>>>> can verify BC provider first and use it for further jar verifications.
>>>>>
>>>>> Thanks,
>>>>> Stepan Mishura
>>>>> Intel Middleware Products Division
>>>>>
>>>>>
>>>>>
>>>>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>>>>>> Hi Tim,
>>>>>>
>>>>>> In order to verify the signature of those signed provider jars I believe
>>>>>> that you would also need trusted implementations of :
>>>>>>
>>>>>> * SHA-1 and MD5 digest algorithms
>>>>>> * DSA and RSA signature algorithms
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>> George
>>>>>> IBM UK
>>>>>>
>>>>>>
>>>>>> Tim Ellison wrote:
>>>>>>> Stepan Mishura wrote:
>>>>>>> <snip>
>>>>>>>
>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but
>>>>>> currently
>>>>>>>> we don't have Harmony provider so we should define how we locate
>>>>>> 'trusted
>>>>>>>> provides' to be secure.
>>>>>>>>
>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>>>>>> providers' jars and get any others.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Tim
>>>>>>>
>>>>>>>
>>>>> --
>>>>>
>>>
>
--
Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.
Re: verifying signed jars
Posted by Mikhail Loenko <ml...@gmail.com>.
The sources would be good - we would be able to fix bugs quickly and replace
parts of implementation for example where our code is faster.
Thanks,
Mikhail
On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> Heh. Everything we will do is legal :)
>
> The point is - would taking some source from BC be the smart thing to do
> - would it be complete, and what kind of maintenance burden would this
> be going forward? Would some kind of re-packaged artifact from the BC
> project itself be better?
>
> Do we need source? Could we have a step where we re-package BC code in
> a form more suited for our purposes?
>
> geir
>
> Mikhail Loenko wrote:
> > We can if it is legal
> >
> > Thanks,
> > Mikhail
> >
> > On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> >> So I'll ask the obvious - can we borrow some of this from BC?
> >>
> >> Stepan Mishura wrote:
> >>> We should have at least to verify BC provider:
> >>> 1) Message digest algorithm: SHA-1
> >>> 2) Signature algorithm: SHA1withDSA
> >>>
> >>> Other jars may require additional algorithms, for example, SHA1withRSA. We
> >>> can verify BC provider first and use it for further jar verifications.
> >>>
> >>> Thanks,
> >>> Stepan Mishura
> >>> Intel Middleware Products Division
> >>>
> >>>
> >>>
> >>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
> >>>> Hi Tim,
> >>>>
> >>>> In order to verify the signature of those signed provider jars I believe
> >>>> that you would also need trusted implementations of :
> >>>>
> >>>> * SHA-1 and MD5 digest algorithms
> >>>> * DSA and RSA signature algorithms
> >>>>
> >>>>
> >>>> Best regards,
> >>>> George
> >>>> IBM UK
> >>>>
> >>>>
> >>>> Tim Ellison wrote:
> >>>>> Stepan Mishura wrote:
> >>>>> <snip>
> >>>>>
> >>>>>> Returning back to the 'missing post'. I agreed with suggestion but
> >>>> currently
> >>>>>> we don't have Harmony provider so we should define how we locate
> >>>> 'trusted
> >>>>>> provides' to be secure.
> >>>>>>
> >>>>> We just need a trusted SHA1PRNG, right? then we can open signed
> >>>>> providers' jars and get any others.
> >>>>>
> >>>>> Regards,
> >>>>> Tim
> >>>>>
> >>>>>
> >>>
> >>> --
> >>>
> >
> >
>
Re: verifying signed jars
Posted by Geir Magnusson Jr <ge...@pobox.com>.
Heh. Everything we will do is legal :)
The point is - would taking some source from BC be the smart thing to do
- would it be complete, and what kind of maintenance burden would this
be going forward? Would some kind of re-packaged artifact from the BC
project itself be better?
Do we need source? Could we have a step where we re-package BC code in
a form more suited for our purposes?
geir
Mikhail Loenko wrote:
> We can if it is legal
>
> Thanks,
> Mikhail
>
> On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
>> So I'll ask the obvious - can we borrow some of this from BC?
>>
>> Stepan Mishura wrote:
>>> We should have at least to verify BC provider:
>>> 1) Message digest algorithm: SHA-1
>>> 2) Signature algorithm: SHA1withDSA
>>>
>>> Other jars may require additional algorithms, for example, SHA1withRSA. We
>>> can verify BC provider first and use it for further jar verifications.
>>>
>>> Thanks,
>>> Stepan Mishura
>>> Intel Middleware Products Division
>>>
>>>
>>>
>>> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>>>> Hi Tim,
>>>>
>>>> In order to verify the signature of those signed provider jars I believe
>>>> that you would also need trusted implementations of :
>>>>
>>>> * SHA-1 and MD5 digest algorithms
>>>> * DSA and RSA signature algorithms
>>>>
>>>>
>>>> Best regards,
>>>> George
>>>> IBM UK
>>>>
>>>>
>>>> Tim Ellison wrote:
>>>>> Stepan Mishura wrote:
>>>>> <snip>
>>>>>
>>>>>> Returning back to the 'missing post'. I agreed with suggestion but
>>>> currently
>>>>>> we don't have Harmony provider so we should define how we locate
>>>> 'trusted
>>>>>> provides' to be secure.
>>>>>>
>>>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>>>> providers' jars and get any others.
>>>>>
>>>>> Regards,
>>>>> Tim
>>>>>
>>>>>
>>>
>>> --
>>>
>
>
Re: verifying signed jars
Posted by Mikhail Loenko <ml...@gmail.com>.
We can if it is legal
Thanks,
Mikhail
On 2/10/06, Geir Magnusson Jr <ge...@pobox.com> wrote:
> So I'll ask the obvious - can we borrow some of this from BC?
>
> Stepan Mishura wrote:
> > We should have at least to verify BC provider:
> > 1) Message digest algorithm: SHA-1
> > 2) Signature algorithm: SHA1withDSA
> >
> > Other jars may require additional algorithms, for example, SHA1withRSA. We
> > can verify BC provider first and use it for further jar verifications.
> >
> > Thanks,
> > Stepan Mishura
> > Intel Middleware Products Division
> >
> >
> >
> > On 2/10/06, George Harley <ge...@googlemail.com> wrote:
> >> Hi Tim,
> >>
> >> In order to verify the signature of those signed provider jars I believe
> >> that you would also need trusted implementations of :
> >>
> >> * SHA-1 and MD5 digest algorithms
> >> * DSA and RSA signature algorithms
> >>
> >>
> >> Best regards,
> >> George
> >> IBM UK
> >>
> >>
> >> Tim Ellison wrote:
> >>> Stepan Mishura wrote:
> >>> <snip>
> >>>
> >>>> Returning back to the 'missing post'. I agreed with suggestion but
> >> currently
> >>>> we don't have Harmony provider so we should define how we locate
> >> 'trusted
> >>>> provides' to be secure.
> >>>>
> >>> We just need a trusted SHA1PRNG, right? then we can open signed
> >>> providers' jars and get any others.
> >>>
> >>> Regards,
> >>> Tim
> >>>
> >>>
> >>
> >
> >
> > --
> >
>
Re: verifying signed jars
Posted by Geir Magnusson Jr <ge...@pobox.com>.
So I'll ask the obvious - can we borrow some of this from BC?
Stepan Mishura wrote:
> We should have at least to verify BC provider:
> 1) Message digest algorithm: SHA-1
> 2) Signature algorithm: SHA1withDSA
>
> Other jars may require additional algorithms, for example, SHA1withRSA. We
> can verify BC provider first and use it for further jar verifications.
>
> Thanks,
> Stepan Mishura
> Intel Middleware Products Division
>
>
>
> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>> Hi Tim,
>>
>> In order to verify the signature of those signed provider jars I believe
>> that you would also need trusted implementations of :
>>
>> * SHA-1 and MD5 digest algorithms
>> * DSA and RSA signature algorithms
>>
>>
>> Best regards,
>> George
>> IBM UK
>>
>>
>> Tim Ellison wrote:
>>> Stepan Mishura wrote:
>>> <snip>
>>>
>>>> Returning back to the 'missing post'. I agreed with suggestion but
>> currently
>>>> we don't have Harmony provider so we should define how we locate
>> 'trusted
>>>> provides' to be secure.
>>>>
>>> We just need a trusted SHA1PRNG, right? then we can open signed
>>> providers' jars and get any others.
>>>
>>> Regards,
>>> Tim
>>>
>>>
>>
>
>
> --
>
Re: verifying signed jars
Posted by George Harley <ge...@googlemail.com>.
Hi Mikhail,
Mikhail Loenko wrote:
> More implementatoins we have in Harmony - less we depend on third parties.
>
> I think SHA-1 and DSA is something to start with.
>
> Makes sense?
>
Makes sense.
> Thanks,
> Mikhail
>
> On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>
>> Hi Stepan,
>>
>> In the short term, yes, SHA-1 and DSA should suffice for verifying the
>> BouncyCastle provider jar. Long term though, Harmony will also need to
>> support the MD5 and RSA algorithms for other providers that may have
>> been signed with those algorithms. While the Jar file specification does
>> not mandate a set of digest and signature algorithms that may be used
>> for signing, it should be noted that the reference jarsigner tool
>> supports both DSA+SHA-1 and RSA+MD5.
>>
>> Best regards,
>> George
>> IBM UK
>>
>> PS, Keeping my fingers crossed this ends up on the dev-list :-)
>>
>>
>> Stepan Mishura wrote:
>>
>>> We should have at least to verify BC provider:
>>> 1) Message digest algorithm: SHA-1
>>> 2) Signature algorithm: SHA1withDSA
>>>
>>> Other jars may require additional algorithms, for example,
>>> SHA1withRSA. We can verify BC provider first and use it for further
>>> jar verifications.
>>>
>>>
>>> Thanks,
>>> Stepan Mishura
>>> Intel Middleware Products Division
>>>
>>>
>>>
>>> On 2/10/06, *George Harley* <george.c.harley@googlemail.com
>>> <ma...@googlemail.com>> wrote:
>>>
>>> Hi Tim,
>>>
>>> In order to verify the signature of those signed provider jars I
>>> believe
>>> that you would also need trusted implementations of :
>>>
>>> * SHA-1 and MD5 digest algorithms
>>> * DSA and RSA signature algorithms
>>>
>>>
>>> Best regards,
>>> George
>>> IBM UK
>>>
>>>
>>> Tim Ellison wrote:
>>> > Stepan Mishura wrote:
>>> > <snip>
>>> >
>>> >> Returning back to the 'missing post'. I agreed with suggestion
>>> but currently
>>> >> we don't have Harmony provider so we should define how we
>>> locate 'trusted
>>> >> provides' to be secure.
>>> >>
>>> >
>>> > We just need a trusted SHA1PRNG, right? then we can open signed
>>> > providers' jars and get any others.
>>> >
>>> > Regards,
>>> > Tim
>>> >
>>> >
>>>
>>>
>>>
>>>
>>> --
>>>
>>
>
>
Best regards,
George
Re: verifying signed jars
Posted by Mikhail Loenko <ml...@gmail.com>.
More implementatoins we have in Harmony - less we depend on third parties.
I think SHA-1 and DSA is something to start with.
Makes sense?
Thanks,
Mikhail
On 2/10/06, George Harley <ge...@googlemail.com> wrote:
> Hi Stepan,
>
> In the short term, yes, SHA-1 and DSA should suffice for verifying the
> BouncyCastle provider jar. Long term though, Harmony will also need to
> support the MD5 and RSA algorithms for other providers that may have
> been signed with those algorithms. While the Jar file specification does
> not mandate a set of digest and signature algorithms that may be used
> for signing, it should be noted that the reference jarsigner tool
> supports both DSA+SHA-1 and RSA+MD5.
>
> Best regards,
> George
> IBM UK
>
> PS, Keeping my fingers crossed this ends up on the dev-list :-)
>
>
> Stepan Mishura wrote:
> >
> > We should have at least to verify BC provider:
> > 1) Message digest algorithm: SHA-1
> > 2) Signature algorithm: SHA1withDSA
> >
> > Other jars may require additional algorithms, for example,
> > SHA1withRSA. We can verify BC provider first and use it for further
> > jar verifications.
> >
> >
> > Thanks,
> > Stepan Mishura
> > Intel Middleware Products Division
> >
> >
> >
> > On 2/10/06, *George Harley* <george.c.harley@googlemail.com
> > <ma...@googlemail.com>> wrote:
> >
> > Hi Tim,
> >
> > In order to verify the signature of those signed provider jars I
> > believe
> > that you would also need trusted implementations of :
> >
> > * SHA-1 and MD5 digest algorithms
> > * DSA and RSA signature algorithms
> >
> >
> > Best regards,
> > George
> > IBM UK
> >
> >
> > Tim Ellison wrote:
> > > Stepan Mishura wrote:
> > > <snip>
> > >
> > >> Returning back to the 'missing post'. I agreed with suggestion
> > but currently
> > >> we don't have Harmony provider so we should define how we
> > locate 'trusted
> > >> provides' to be secure.
> > >>
> > >
> > > We just need a trusted SHA1PRNG, right? then we can open signed
> > > providers' jars and get any others.
> > >
> > > Regards,
> > > Tim
> > >
> > >
> >
> >
> >
> >
> > --
>
>
Re: verifying signed jars
Posted by George Harley <ge...@googlemail.com>.
Hi Stepan,
In the short term, yes, SHA-1 and DSA should suffice for verifying the
BouncyCastle provider jar. Long term though, Harmony will also need to
support the MD5 and RSA algorithms for other providers that may have
been signed with those algorithms. While the Jar file specification does
not mandate a set of digest and signature algorithms that may be used
for signing, it should be noted that the reference jarsigner tool
supports both DSA+SHA-1 and RSA+MD5.
Best regards,
George
IBM UK
PS, Keeping my fingers crossed this ends up on the dev-list :-)
Stepan Mishura wrote:
>
> We should have at least to verify BC provider:
> 1) Message digest algorithm: SHA-1
> 2) Signature algorithm: SHA1withDSA
>
> Other jars may require additional algorithms, for example,
> SHA1withRSA. We can verify BC provider first and use it for further
> jar verifications.
>
>
> Thanks,
> Stepan Mishura
> Intel Middleware Products Division
>
>
>
> On 2/10/06, *George Harley* <george.c.harley@googlemail.com
> <ma...@googlemail.com>> wrote:
>
> Hi Tim,
>
> In order to verify the signature of those signed provider jars I
> believe
> that you would also need trusted implementations of :
>
> * SHA-1 and MD5 digest algorithms
> * DSA and RSA signature algorithms
>
>
> Best regards,
> George
> IBM UK
>
>
> Tim Ellison wrote:
> > Stepan Mishura wrote:
> > <snip>
> >
> >> Returning back to the 'missing post'. I agreed with suggestion
> but currently
> >> we don't have Harmony provider so we should define how we
> locate 'trusted
> >> provides' to be secure.
> >>
> >
> > We just need a trusted SHA1PRNG, right? then we can open signed
> > providers' jars and get any others.
> >
> > Regards,
> > Tim
> >
> >
>
>
>
>
> --
Re: verifying signed jars
Posted by Stepan Mishura <st...@gmail.com>.
We should have at least to verify BC provider:
1) Message digest algorithm: SHA-1
2) Signature algorithm: SHA1withDSA
Other jars may require additional algorithms, for example, SHA1withRSA. We
can verify BC provider first and use it for further jar verifications.
Thanks,
Stepan Mishura
Intel Middleware Products Division
On 2/10/06, George Harley <ge...@googlemail.com> wrote:
>
> Hi Tim,
>
> In order to verify the signature of those signed provider jars I believe
> that you would also need trusted implementations of :
>
> * SHA-1 and MD5 digest algorithms
> * DSA and RSA signature algorithms
>
>
> Best regards,
> George
> IBM UK
>
>
> Tim Ellison wrote:
> > Stepan Mishura wrote:
> > <snip>
> >
> >> Returning back to the 'missing post'. I agreed with suggestion but
> currently
> >> we don't have Harmony provider so we should define how we locate
> 'trusted
> >> provides' to be secure.
> >>
> >
> > We just need a trusted SHA1PRNG, right? then we can open signed
> > providers' jars and get any others.
> >
> > Regards,
> > Tim
> >
> >
>
>
--
Re: verifying signed jars
Posted by George Harley <ge...@googlemail.com>.
Hi Tim,
In order to verify the signature of those signed provider jars I believe
that you would also need trusted implementations of :
* SHA-1 and MD5 digest algorithms
* DSA and RSA signature algorithms
Best regards,
George
IBM UK
Tim Ellison wrote:
> Stepan Mishura wrote:
> <snip>
>
>> Returning back to the 'missing post'. I agreed with suggestion but currently
>> we don't have Harmony provider so we should define how we locate 'trusted
>> provides' to be secure.
>>
>
> We just need a trusted SHA1PRNG, right? then we can open signed
> providers' jars and get any others.
>
> Regards,
> Tim
>
>