[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: signed jar in java library

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles Fry <debian@frogcircus.org> writes:

> The only options I can think of are to make multiple packages, some
> with signed jars and some with unsigned jars, or to provide both jars
> in the same package. Note that this is not just a matter of bein
> signed by the Legion of the Bouncy Castle; the certificate they use
> was obtained from "the JCE Code Signing Certification Authority"
> [1]. Being signed allows Java to [2]trust the jar, in accordance with
> the privileges associated with the trusted signer.

Hey! Maybe it'd be good if we had a Debian Certificate, isn't it?!

> 1. http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205
> 2. http://java.sun.com/j2se/1.4.2/docs/guide/extensions/spec.html#installed

We can setup something to sign our jars so they all be trusted.

[...]

> Yeah, I filed the initial bug imagining a single package, and then
> realized that there are multiple packages distributed separately by
> Bouncy Castle. My first thought was to create a different package for
> each signed jar they provide on their download page. Is that the right
> thing to do, or should I rather create a single package that provides
> all of the jars? Or should I group together the 112, 113, and 114 jars
> of the same type?

I don't know the difference between 1.1.2 and 1.1.3. I think nobody do
use <= 1.1.2 anymore.

> I've uploaded a first stab at packaging one of the jars to
> mentors.debian.net, but it doesn't seem to be there yet. The package
> name I uploaded is libbcprov-jdk14-java. I would love to get feedback on
> it once it arrives.

I'm a little busy ATM but I'll contact you if I have some time to look
at the package.

>> I'm not a guru in cryptography so I'd like to know the differences
>> between Bouncy Castle Cryptography and Cryptix?
>> 
>> Bouncy Castle Crypto APIs -- http://www.bouncycastle.org/
>> Cryptix -- http://www.ntua.gr/cryptix/
>
> They are very similar in nature. They do, of course have different
> algorithms implemented. I started using Bouncy Castle because of their
> Elliptic Curve Cryptogrophy implementation (including ECDSA,
> specifically). Also, "Although primarily geared towards providing
> alternative encryption algorithms for J2SE, the Legion has adapted some
> of its code to work with J2ME. Specifically, parts of the Bouncy Castle
> lightweight cryptography API work with both the CLDC and the CDC" [3].
>
> 3. http://java.sun.com/developer/J2METechTips/2001/tt1217.html

Great. Do you think it's important to have Cryptix also in Debian?

>> Thanks for your time and help in Debian,
>
> Thank you for your feedback. I hope to receive additional help as I iron
> out the issues related to packaging Bouncy Castle.

Sure, I'll try to help.

Cheers,

- -- 
  .''`. 
 : :' :rnaud
 `. `'  
   `-    
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAcmHL4vzFZu62tMIRAu97AJ4qmUpQD+AZ6PM7fCucn5efrNmHbQCeMA5Y
x023Ow8wuKCXr0cq6ahwF/I=
=kNRD
-----END PGP SIGNATURE-----
Reply to: