I really don't remember the details here. I suspect once we got all Eclipse projects signing with a real cert verified by an authority trusted by the JVM, this wasn't a big issue for us. In the end, asking an end user to make a trust decision on a self-signed or unverified cert is silly anyway. There is no way an end user could make an informed trust decision based on that information, and if we did persist the decision, it would essentially be "I know it's not trusted but please stop asking me". It looks like KeyStoreTrustEngine registered by the framework is capable of persisting changes though, if the system is configured properly. If Scott or anyone else is interested in the trust persistence aspect I suggest opening a bug and we go from there.
John From: Thomas Watson <[email protected]> To: Equinox development mailing list <[email protected]>, Date: 01/02/2013 10:20 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: [email protected] Thanks John, I see that the code you mention does use a TrustEngine to attempt to persist newly trusted certificates. But I wonder if there are any implementations of the TrustEngine service that are not read-only. The framework registers a built-in TrustEngine that is backed by the CA certs that are configured with the VM but this TrustEngine is read-only. Tom John Arthorne ---01/02/2013 08:43:48 AM---p2 uses the TrustEngine to persist newly trusted certificates after prompting the user. See org.ecl From: John Arthorne <[email protected]> To: Equinox development mailing list <[email protected]>, Date: 01/02/2013 08:43 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: [email protected] p2 uses the TrustEngine to persist newly trusted certificates after prompting the user. See org.eclipse.equinox.internal.p2.engine.phases. CertificateChecker. http://git.eclipse.org/c/equinox/rt.equinox.p2.git/tree/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java John From: Thomas Watson <[email protected]> To: Equinox development mailing list <[email protected]>, Date: 01/02/2013 09:28 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: [email protected] The TrustEngine is largely used as an implementation detail behind the org.eclipse.osgi.signedcontent package. OSGi services published with using the org.eclipse.osgi.service.security.TrustEngine interface are used to determine the authenticity of a certificate chain used to sign content (jars, bundles etc.). I did not remember p2 using the TrustEngine directly, but perhaps it does for authenticating other types of certificates. Sorry, other than the javadoc published for the packages there is not a lot of documentation here. Tom Pascal Rapicault ---12/29/2012 03:51:46 AM---The p2 engine makes use of the TrustEngine, however I don't remember the details of how it works. Yo From: Pascal Rapicault <[email protected]> To: Equinox development mailing list <[email protected]>, Date: 12/29/2012 03:51 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: [email protected] The p2 engine makes use of the TrustEngine, however I don't remember the details of how it works. You may also want to poke around at other parts of p2 as I just happen to remember about this ref in the engine, but there may be others. HTH Pascal On 2012-12-29, at 5:47 AM, Scott Lewis wrote: > Hello, > > Is there documentation on Equinox security services like org.eclipse.osgi.service.security.TrustEngine service...and implementation? I looked in the Equinox Security area [1], but didn't find a lot of service/API docs. Is/are there examples of using the TrustEngine service(s)? > > Thanks, > > Scott > > > > _______________________________________________ > equinox-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/equinox-dev
<<image/gif>>
<<image/gif>>
_______________________________________________ equinox-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/equinox-dev
