I'm think that only the group of user that is using the classes of some web
application with Jakarta should sign the classes that are using. Because the private
key is a stuff that only those groups should known.
With best wishes,
Edson Alves Pereira
[EMAIL PROTECTED] wrote:
>
> Java comes with the ability to sign a jar file with a private key.
> A signed jar file can the be verified by the user or verified by the
> JVM at runtime if an application is using the Java SecurityManager.
>
> Signing of jar files can help users protect themselves from trojan
> versions of java jar files.
>
> Both Tomcat 3.2 and Tomcat 4.0 now support use of the Java SecurityManager.
>
> The Jakarta project is providing a wide range of java components which
> are used in servlet containers such as Tomcat.
>
> If Tomcat is being used with the Java SecurityManager the java policy
> file can be configured so that it knows who is a valid signer of a jar
> file. This allows users to upgrade jar files they install in Tomcat such
> as xerces, xalan, taglibs, etc. with confidence that they won't install
> a trojan'd version.
>
> Signing of jar files provided in distributions from the Jakarta project
> would give users a higher level of confidence that the software they are
> using is secure.
>
> Last May apache.org was compromised by "white hats", if they had been
> "black hats" software provided by the ASF could have easily been trojan'd.
>
> Do you think the ASF should sign jar files?
>
> If the ASF signs jar's, a host of other questions are raised.
>
> Should all jar files be signed, even for nightly builds? Or just
> for major releases, betas, milestones, etc.
>
> Would only one key be used for all of ASF, or multiple keys.
>
> How would the private key(s) be kept secure? Who would be authorized to sign?
>
> Is there a way to provide signed jar files without making the build/
> release process too difficult?
>
> Regards,
>
> Glenn
>
> ----------------------------------------------------------------------
> Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
> MOREnet System Programming | * if iz ina coment. |
> Missouri Research and Education Network | */ |
> ----------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
__________________________________________________________________
Get your own FREE, personal Netscape Webmail account today at
http://webmail.netscape.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
