On 10/12/2010 02:57 PM, Michal Kleczek wrote:
No you don't. You can delegate it to the IntegrityVerifier. This is the
place where you should check the integrity. You will have enough
information there (coded in the codebase parameter), to load the code,
check endpoints (dns name, ip address, TLS) if wanted, check signatures,
certificates, checksums.
Right - but it looks to me we're turning circles right now. Maybe I just don't
understand what you're saying so let me describe a scenario that I would like
to support:
1. Prerequisite - you and I are logged in to the same Kerberos realm and I
know your kerberos principal
2. I got a piece of data - a marshalled object
3. Before I deserialize an object I want to make sure the codebase of the
object I got is the one you wanted it to be (regardless of the contents of the
jar file I will download later - I'm going to check its integrity later on)
My take on this, is that we should lower the prerequisite, and still
have a robust implementation. We are talking about the internet are we?
How many of us share a kerberos realm?
I dont like the idea, that we allow full deserialization before we have
had a change to let the IntegrityVerifier have a look at it. And if you
want to fix that, you've created a snake biting its own arse. And we
wont have that do we?
Gr. Sim
