Re: JCE Code Signing Certificate
On Tue, Oct 04, 2005 at 04:01:03PM -0400, Charles Fry wrote:
> > > In order to be trusted, the security provider must be signed with a
> > > key that was certified by the JCE Code Signing Certification
> > > Authority (see Step 5 of the document above).
> > So why can't we ship trusted root certificates for a Debian Code
> > Signing Certification Authority, or trust everything which is present
> > in the file system?
> Your first proposition sounds reasonable at first glance, though I would
> like some feedback from others who are more familiar with the free JVMs
> that ship with Java.
> > I have the strong suspicion that this certificate just asserts that
> > you have signed the CSR form and promised to comply with U.S. export
> > regulations, and nothing else. Maybe this was the result of a deal
> > between BXA/BIS and Sun which permitted Sun to export their
> > implementation. We don't need to follow such a procedure because
> > Debian has different means to comply with the regulations, and we do
> > not distribute Sun's implementation, AFAIK.
> Though we don't distribute Sun's implementation, java-package provides a
> straightforward way to insall Sun's installation on a Debian machine.
> Further, due to what appears to be a Classpath bug, no free JVM that we
> do ship is able to pass all of the BouncyCastle regression tests (which
> is why BouncyCastle is currently in contrib).
> Does anyone from debian-java know how the free JVMs deal with security
This is a big field which needs even bigger investigation. The free
runtimes can load them but signed jars are still not supported (or was
this fixed lately...). Your best action would be to just test it with
kaffe or gcj or whatever and report any bugs you find.
Escape the Java Trap with GNU Classpath!
Join the community at http://planet.classpath.org/