> > Can someone please comment on how we should proceed to obtain a JCE Code > > Signing Certificate for Debian? > > Why can't we just install a trusted certificate in our own packages? > > It's not clear to me who should own the private key corresponding to > the certificate, either. Perhaps you could explain why this > certificate is needed? Hopefully, the rest follows from that. Well, I may not entirely understand your question, but here is my understanding of the situation, as supported by the document How to Implement a Provider for the JavaTM Cryptography Extension[1]. 1. http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/HowToImplAJCEProvider.html You should definitely read the introduction of that document. I started to cut and paste, but there is just too much relevant information. To summarize, JCE provides a modular framework whereby various security "providers" can implement generic security algorithms, and make them available by name, independent of any knowledge of the provider where they are coming from. For example, I could issue the following call to obtain a Signature instance using a certain algorithm, fit for use in creating cryptographic signatures, by the following call: Signature sig = Signature.getInstance("MD5withRSA"); This will result in a search of the security providers in $JAVA_HOME/lib/security/java.security until a provider is found who provides an implementation of the requested algorithm. In order to be trusted, the security provider must be signed with a key that was certified by the JCE Code Signing Certification Authority (see Step 5 of the document above). The upstream distribution of BouncyCastle, for example, is signed by such a code-signing certificate, but instead of trusting them we want to build the code ourselves, which means that we in turn need to sign it ourselves. Does that clarify things a little? Charles -- From New York town To Pumpkin Holler Still Half a pound For half a dollar Burma-Shave No price increase http://burma-shave.org/jingles/1948/from_new_york
Attachment:
signature.asc
Description: Digital signature