I really don't remember the details here. I suspect once we got all Eclipse projects signing with a real cert verified by an authority trusted by the JVM, this wasn't a big issue for us. In the end, asking an end user to make a trust decision on a self-signed or unverified cert is silly anyway. There is no way an end user could make an informed trust decision based on that information, and if we did persist the decision, it would essentially be "I know it's not trusted but please stop asking me". It looks like KeyStoreTrustEngine registered by the framework is capable of persisting changes though, if the system is configured properly. If Scott or anyone else is interested in the trust persistence aspect I suggest opening a bug and we go from there.
John From: Thomas Watson <tjwat...@us.ibm.com> To: Equinox development mailing list <equinox-dev@eclipse.org>, Date: 01/02/2013 10:20 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: equinox-dev-boun...@eclipse.org Thanks John, I see that the code you mention does use a TrustEngine to attempt to persist newly trusted certificates. But I wonder if there are any implementations of the TrustEngine service that are not read-only. The framework registers a built-in TrustEngine that is backed by the CA certs that are configured with the VM but this TrustEngine is read-only. Tom John Arthorne ---01/02/2013 08:43:48 AM---p2 uses the TrustEngine to persist newly trusted certificates after prompting the user. See org.ecl From: John Arthorne <john_artho...@ca.ibm.com> To: Equinox development mailing list <equinox-dev@eclipse.org>, Date: 01/02/2013 08:43 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: equinox-dev-boun...@eclipse.org p2 uses the TrustEngine to persist newly trusted certificates after prompting the user. See org.eclipse.equinox.internal.p2.engine.phases. CertificateChecker. http://git.eclipse.org/c/equinox/rt.equinox.p2.git/tree/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java John From: Thomas Watson <tjwat...@us.ibm.com> To: Equinox development mailing list <equinox-dev@eclipse.org>, Date: 01/02/2013 09:28 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: equinox-dev-boun...@eclipse.org The TrustEngine is largely used as an implementation detail behind the org.eclipse.osgi.signedcontent package. OSGi services published with using the org.eclipse.osgi.service.security.TrustEngine interface are used to determine the authenticity of a certificate chain used to sign content (jars, bundles etc.). I did not remember p2 using the TrustEngine directly, but perhaps it does for authenticating other types of certificates. Sorry, other than the javadoc published for the packages there is not a lot of documentation here. Tom Pascal Rapicault ---12/29/2012 03:51:46 AM---The p2 engine makes use of the TrustEngine, however I don't remember the details of how it works. Yo From: Pascal Rapicault <pas...@rapicault.net> To: Equinox development mailing list <equinox-dev@eclipse.org>, Date: 12/29/2012 03:51 AM Subject: Re: [equinox-dev] TrustEngine and other security services Sent by: equinox-dev-boun...@eclipse.org The p2 engine makes use of the TrustEngine, however I don't remember the details of how it works. You may also want to poke around at other parts of p2 as I just happen to remember about this ref in the engine, but there may be others. HTH Pascal On 2012-12-29, at 5:47 AM, Scott Lewis wrote: > Hello, > > Is there documentation on Equinox security services like org.eclipse.osgi.service.security.TrustEngine service...and implementation? I looked in the Equinox Security area [1], but didn't find a lot of service/API docs. Is/are there examples of using the TrustEngine service(s)? > > Thanks, > > Scott > > > > _______________________________________________ > equinox-dev mailing list > equinox-dev@eclipse.org > https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
<<image/gif>>
<<image/gif>>
_______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
