Why not contribute directly to BouncyCastle? Regards, Tim
Mikhail Loenko wrote: > The sources would be good - we would be able to fix bugs quickly and replace > parts of implementation for example where our code is faster. > > Thanks, > Mikhail > > On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: >> Heh. Everything we will do is legal :) >> >> The point is - would taking some source from BC be the smart thing to do >> - would it be complete, and what kind of maintenance burden would this >> be going forward? Would some kind of re-packaged artifact from the BC >> project itself be better? >> >> Do we need source? Could we have a step where we re-package BC code in >> a form more suited for our purposes? >> >> geir >> >> Mikhail Loenko wrote: >>> We can if it is legal >>> >>> Thanks, >>> Mikhail >>> >>> On 2/10/06, Geir Magnusson Jr <[EMAIL PROTECTED]> wrote: >>>> So I'll ask the obvious - can we borrow some of this from BC? >>>> >>>> Stepan Mishura wrote: >>>>> We should have at least to verify BC provider: >>>>> 1) Message digest algorithm: SHA-1 >>>>> 2) Signature algorithm: SHA1withDSA >>>>> >>>>> Other jars may require additional algorithms, for example, SHA1withRSA. We >>>>> can verify BC provider first and use it for further jar verifications. >>>>> >>>>> Thanks, >>>>> Stepan Mishura >>>>> Intel Middleware Products Division >>>>> >>>>> >>>>> >>>>> On 2/10/06, George Harley <[EMAIL PROTECTED]> wrote: >>>>>> Hi Tim, >>>>>> >>>>>> In order to verify the signature of those signed provider jars I believe >>>>>> that you would also need trusted implementations of : >>>>>> >>>>>> * SHA-1 and MD5 digest algorithms >>>>>> * DSA and RSA signature algorithms >>>>>> >>>>>> >>>>>> Best regards, >>>>>> George >>>>>> IBM UK >>>>>> >>>>>> >>>>>> Tim Ellison wrote: >>>>>>> Stepan Mishura wrote: >>>>>>> <snip> >>>>>>> >>>>>>>> Returning back to the 'missing post'. I agreed with suggestion but >>>>>> currently >>>>>>>> we don't have Harmony provider so we should define how we locate >>>>>> 'trusted >>>>>>>> provides' to be secure. >>>>>>>> >>>>>>> We just need a trusted SHA1PRNG, right? then we can open signed >>>>>>> providers' jars and get any others. >>>>>>> >>>>>>> Regards, >>>>>>> Tim >>>>>>> >>>>>>> >>>>> -- >>>>> >>> > -- Tim Ellison ([EMAIL PROTECTED]) IBM Java technology centre, UK.
