Re: signed jar in java library

To: debian-java@lists.debian.org
Subject: Re: signed jar in java library
From: Charles Fry <debian@frogcircus.org>
Date: Tue, 6 Apr 2004 16:56:57 -0400
Message-id: <[🔎] 20040406205657.GB21418@frogcircus.org>
In-reply-to: <[🔎] 87d66l1r1y.fsf@oz.fapse.ulg.ac.be>
References: <[🔎] 20040405154952.GF14579@frogcircus.org> <[🔎] 87smfijfsy.fsf@oz.fapse.ulg.ac.be> <[🔎] 20040405213859.GC25614@frogcircus.org> <[🔎] 87d66l1r1y.fsf@oz.fapse.ulg.ac.be>

> > The only options I can think of are to make multiple packages, some
> > with signed jars and some with unsigned jars, or to provide both
> > jars in the same package. Note that this is not just a matter of
> > bein signed by the Legion of the Bouncy Castle; the certificate they
> > use was obtained from "the JCE Code Signing Certification Authority"
> > [1]. Being signed allows Java to [2]trust the jar, in accordance
> > with the privileges associated with the trusted signer.
> 
> Hey! Maybe it'd be good if we had a Debian Certificate, isn't it?!
> 
> > 1. http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205
> > 2. http://java.sun.com/j2se/1.4.2/docs/guide/extensions/spec.html#installed
> 
> We can setup something to sign our jars so they all be trusted.

Man, great idea! For some reason I never even thought about that
possibility. If ever packages were created for other crypto providers,
we could use it to sign them as well. Who would be the right person to
pursue this possibility?

To start with I will create some initial packages that do not contain
signed jars, with the expectation that we will eventually find a way to
sign them.

> > I've uploaded a first stab at packaging one of the jars to
> > mentors.debian.net, but it doesn't seem to be there yet. The package
> > name I uploaded is libbcprov-jdk14-java. I would love to get
> > feedback on it once it arrives.

There was an error in my initial upload which has been fixed. However
the current upload includes the signed jars. I will send out another
email when I upload the new version(s) without signed jars.

> Great. Do you think it's important to have Cryptix also in Debian?

I may be the wrong person to ask about this, but in my judgement it is
not crucial. In most cases, a single crypto provider is sufficient. That
said, it doesn't hurt to give people more choice. I guess I just don't
see sufficient gain to justify taking the time myself to package it.

My limited experience in this area is in the Computer Security group at
Carnegie Mellon University. Everyone I know here who does security
research in Java uses Bouncy Castle. I don't know anyone who uses
Cryptix. Of course that is a tiny sample set, and I am confident that
there are plenty of people who use and even prefer Cryptix, although I
couldn't speak them or for the reasons why.

Charles

-- 
Speed
Was high
Weather was not
Tires were thin
X marks the spot
Burma-Shave
http://frogcircus.org/burmashave/1948/speed

Reply to:

References:
- signed jar in java library
  - From: Charles Fry <debian@frogcircus.org>
- Re: signed jar in java library
  - From: Arnaud Vandyck <avdyk@debian.org>
- Re: signed jar in java library
  - From: Charles Fry <debian@frogcircus.org>
- Re: signed jar in java library
  - From: Arnaud Vandyck <avdyk@debian.org>

Prev by Date: why does eclipse-platform depend on j2sdk?
Next by Date: Re: why does eclipse-platform depend on j2sdk?
Previous by thread: Re: signed jar in java library
Next by thread: Re: kaffe_1.1.4-4_i386.changes REJECTED
Index(es):
- Date
- Thread