My comment was directed towards: Mikhail Loenko wrote: "The sources would be good - we would be able to fix bugs quickly and replace parts of implementation for example where our code is faster."
i.e. why not fix bugs and make it go faster for everyone -- no need to fork. Regards, Tim Mikhail Loenko wrote: > How will it solve our problem with verifying signed jars? > > Thanks, > Mikhail > > On 2/13/06, Richard Liang <[EMAIL PROTECTED]> wrote: >> That's a good idea :-) >> >> Richard Liang >> China Software Development Lab, IBM >> >> >> >> Tim Ellison wrote: >>> Why not contribute directly to BouncyCastle? >>> >>> Regards, >>> Tim >>> >>> Mikhail Loenko wrote: >>> >>>> The sources would be good - we would be able to fix bugs quickly and >>>> replace >>>> parts of implementation for example where our code is faster. >>>> >>>> Thanks, >>>> Mikhail >>>> >>>> On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: >>>> >>>>> Heh. Everything we will do is legal :) >>>>> >>>>> The point is - would taking some source from BC be the smart thing to do >>>>> - would it be complete, and what kind of maintenance burden would this >>>>> be going forward? Would some kind of re-packaged artifact from the BC >>>>> project itself be better? >>>>> >>>>> Do we need source? Could we have a step where we re-package BC code in >>>>> a form more suited for our purposes? >>>>> >>>>> geir >>>>> >>>>> Mikhail Loenko wrote: >>>>> >>>>>> We can if it is legal >>>>>> >>>>>> Thanks, >>>>>> Mikhail >>>>>> >>>>>> On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: >>>>>> >>>>>>> So I'll ask the obvious - can we borrow some of this from BC? >>>>>>> >>>>>>> Stepan Mishura wrote: >>>>>>> >>>>>>>> We should have at least to verify BC provider: >>>>>>>> 1) Message digest algorithm: SHA-1 >>>>>>>> 2) Signature algorithm: SHA1withDSA >>>>>>>> >>>>>>>> Other jars may require additional algorithms, for example, >>>>>>>> SHA1withRSA. We >>>>>>>> can verify BC provider first and use it for further jar verifications. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Stepan Mishura >>>>>>>> Intel Middleware Products Division >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 2/10/06, George Harley <[EMAIL PROTECTED]> wrote: >>>>>>>> >>>>>>>>> Hi Tim, >>>>>>>>> >>>>>>>>> In order to verify the signature of those signed provider jars I >>>>>>>>> believe >>>>>>>>> that you would also need trusted implementations of : >>>>>>>>> >>>>>>>>> * SHA-1 and MD5 digest algorithms >>>>>>>>> * DSA and RSA signature algorithms >>>>>>>>> >>>>>>>>> >>>>>>>>> Best regards, >>>>>>>>> George >>>>>>>>> IBM UK >>>>>>>>> >>>>>>>>> >>>>>>>>> Tim Ellison wrote: >>>>>>>>> >>>>>>>>>> Stepan Mishura wrote: >>>>>>>>>> <snip> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but >>>>>>>>>>> >>>>>>>>> currently >>>>>>>>> >>>>>>>>>>> we don't have Harmony provider so we should define how we locate >>>>>>>>>>> >>>>>>>>> 'trusted >>>>>>>>> >>>>>>>>>>> provides' to be secure. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed >>>>>>>>>> providers' jars and get any others. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Tim >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> >>> >> > -- Tim Ellison ([EMAIL PROTECTED]) IBM Java technology centre, UK.
