How will it solve our problem with verifying signed jars? Thanks, Mikhail
On 2/13/06, Richard Liang <[EMAIL PROTECTED]> wrote: > That's a good idea :-) > > Richard Liang > China Software Development Lab, IBM > > > > Tim Ellison wrote: > > Why not contribute directly to BouncyCastle? > > > > Regards, > > Tim > > > > Mikhail Loenko wrote: > > > >> The sources would be good - we would be able to fix bugs quickly and > >> replace > >> parts of implementation for example where our code is faster. > >> > >> Thanks, > >> Mikhail > >> > >> On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: > >> > >>> Heh. Everything we will do is legal :) > >>> > >>> The point is - would taking some source from BC be the smart thing to do > >>> - would it be complete, and what kind of maintenance burden would this > >>> be going forward? Would some kind of re-packaged artifact from the BC > >>> project itself be better? > >>> > >>> Do we need source? Could we have a step where we re-package BC code in > >>> a form more suited for our purposes? > >>> > >>> geir > >>> > >>> Mikhail Loenko wrote: > >>> > >>>> We can if it is legal > >>>> > >>>> Thanks, > >>>> Mikhail > >>>> > >>>> On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: > >>>> > >>>>> So I'll ask the obvious - can we borrow some of this from BC? > >>>>> > >>>>> Stepan Mishura wrote: > >>>>> > >>>>>> We should have at least to verify BC provider: > >>>>>> 1) Message digest algorithm: SHA-1 > >>>>>> 2) Signature algorithm: SHA1withDSA > >>>>>> > >>>>>> Other jars may require additional algorithms, for example, > >>>>>> SHA1withRSA. We > >>>>>> can verify BC provider first and use it for further jar verifications. > >>>>>> > >>>>>> Thanks, > >>>>>> Stepan Mishura > >>>>>> Intel Middleware Products Division > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 2/10/06, George Harley <[EMAIL PROTECTED]> wrote: > >>>>>> > >>>>>>> Hi Tim, > >>>>>>> > >>>>>>> In order to verify the signature of those signed provider jars I > >>>>>>> believe > >>>>>>> that you would also need trusted implementations of : > >>>>>>> > >>>>>>> * SHA-1 and MD5 digest algorithms > >>>>>>> * DSA and RSA signature algorithms > >>>>>>> > >>>>>>> > >>>>>>> Best regards, > >>>>>>> George > >>>>>>> IBM UK > >>>>>>> > >>>>>>> > >>>>>>> Tim Ellison wrote: > >>>>>>> > >>>>>>>> Stepan Mishura wrote: > >>>>>>>> <snip> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but > >>>>>>>>> > >>>>>>> currently > >>>>>>> > >>>>>>>>> we don't have Harmony provider so we should define how we locate > >>>>>>>>> > >>>>>>> 'trusted > >>>>>>> > >>>>>>>>> provides' to be secure. > >>>>>>>>> > >>>>>>>>> > >>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed > >>>>>>>> providers' jars and get any others. > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Tim > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> -- > >>>>>> > >>>>>> > > > > > >
