Jon Stevens wrote:
>
> on 3/2/01 4:02 PM, "Glenn Nielsen" <[EMAIL PROTECTED]> wrote:
>
> > Yes, signing the distributions like that does help provide confidence against
> > trojans. But users having the knowledge and tools to veryify the dist are not
> > as
> > prevalent. At least when signing jar files, if the user has a JVM, they have
> > the tools to validate the signature. Plus jar files can be validated by the
> > JVM itself if the application is being run with the Java SecurityManager and
> > a configured policy file.
>
> How can you assume that someone would know how to sign (or check the
> signature of) a .jar file yet they wouldn't know how to use md5 (fyi: man
> md5)?
>
Java is available on a number of different OS platforms, not just unix.
Anyone who had the ability to use the signed jar would have the tool to verify
the signer. That is not true for "man md5".
Glenn
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
