Folks, FYI, we are going take some code from BC in juice project. Check [1] for more info.
thanks, dims [1] http://mail-archives.apache.org/mod_mbox/xml-juice-dev/200601.mbox/[EMAIL PROTECTED] On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: > Heh. Everything we will do is legal :) > > The point is - would taking some source from BC be the smart thing to do > - would it be complete, and what kind of maintenance burden would this > be going forward? Would some kind of re-packaged artifact from the BC > project itself be better? > > Do we need source? Could we have a step where we re-package BC code in > a form more suited for our purposes? > > geir > > Mikhail Loenko wrote: > > We can if it is legal > > > > Thanks, > > Mikhail > > > > On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: > >> So I'll ask the obvious - can we borrow some of this from BC? > >> > >> Stepan Mishura wrote: > >>> We should have at least to verify BC provider: > >>> 1) Message digest algorithm: SHA-1 > >>> 2) Signature algorithm: SHA1withDSA > >>> > >>> Other jars may require additional algorithms, for example, SHA1withRSA. We > >>> can verify BC provider first and use it for further jar verifications. > >>> > >>> Thanks, > >>> Stepan Mishura > >>> Intel Middleware Products Division > >>> > >>> > >>> > >>> On 2/10/06, George Harley <[EMAIL PROTECTED]> wrote: > >>>> Hi Tim, > >>>> > >>>> In order to verify the signature of those signed provider jars I believe > >>>> that you would also need trusted implementations of : > >>>> > >>>> * SHA-1 and MD5 digest algorithms > >>>> * DSA and RSA signature algorithms > >>>> > >>>> > >>>> Best regards, > >>>> George > >>>> IBM UK > >>>> > >>>> > >>>> Tim Ellison wrote: > >>>>> Stepan Mishura wrote: > >>>>> <snip> > >>>>> > >>>>>> Returning back to the 'missing post'. I agreed with suggestion but > >>>> currently > >>>>>> we don't have Harmony provider so we should define how we locate > >>>> 'trusted > >>>>>> provides' to be secure. > >>>>>> > >>>>> We just need a trusted SHA1PRNG, right? then we can open signed > >>>>> providers' jars and get any others. > >>>>> > >>>>> Regards, > >>>>> Tim > >>>>> > >>>>> > >>> > >>> -- > >>> > > > > > -- Davanum Srinivas : http://wso2.com/blogs/
