Re: JCE Code Signing Certificate

To: Florian Weimer <fw@deneb.enyo.de>
Cc: debian-security@lists.debian.org, debian-java@lists.debian.org
Subject: Re: JCE Code Signing Certificate
From: Charles Fry <debian@frogcircus.org>
Date: Tue, 4 Oct 2005 15:32:28 -0400
Message-id: <[🔎] 20051004193228.GA2949@true>
In-reply-to: <[🔎] 87mzlp862f.fsf@mid.deneb.enyo.de>
References: <20050930170443.GL2949@true> <[🔎] 20051004181058.GW2949@true> <[🔎] 87mzlp862f.fsf@mid.deneb.enyo.de>

> > Can someone please comment on how we should proceed to obtain a JCE Code
> > Signing Certificate for Debian?
> 
> Why can't we just install a trusted certificate in our own packages?
> 
> It's not clear to me who should own the private key corresponding to
> the certificate, either.  Perhaps you could explain why this
> certificate is needed?  Hopefully, the rest follows from that.

Well, I may not entirely understand your question, but here is my
understanding of the situation, as supported by the document How to
Implement a Provider for the JavaTM Cryptography Extension[1].

   1. http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/HowToImplAJCEProvider.html

You should definitely read the introduction of that document. I started
to cut and paste, but there is just too much relevant information. To
summarize, JCE provides a modular framework whereby various security
"providers" can implement generic security algorithms, and make them
available by name, independent of any knowledge of the provider where
they are coming from.

For example, I could issue the following call to obtain a Signature
instance using a certain algorithm, fit for use in creating
cryptographic signatures, by the following call:

   Signature sig = Signature.getInstance("MD5withRSA");

This will result in a search of the security providers in
$JAVA_HOME/lib/security/java.security until a provider is found who
provides an implementation of the requested algorithm. In order to be
trusted, the security provider must be signed with a key that was
certified by the JCE Code Signing Certification Authority (see Step 5 of
the document above).

The upstream distribution of BouncyCastle, for example, is signed by
such a code-signing certificate, but instead of trusting them we want to
build the code ourselves, which means that we in turn need to sign it
ourselves.

Does that clarify things a little?

Charles

-- 
From New York town
To Pumpkin Holler
Still
Half a pound
For half a dollar
Burma-Shave
No price increase
http://burma-shave.org/jingles/1948/from_new_york

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: JCE Code Signing Certificate
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Re: JCE Code Signing Certificate
  - From: Charles Fry <debian@frogcircus.org>
- Re: JCE Code Signing Certificate
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: JCE Code Signing Certificate
Next by Date: Re: JCE Code Signing Certificate
Previous by thread: Re: JCE Code Signing Certificate
Next by thread: Re: JCE Code Signing Certificate
Index(es):
- Date
- Thread