On Tuesday 12 of October 2010 15:07:07 Sim IJskes - QCG wrote: > On 10/12/2010 02:57 PM, Michal Kleczek wrote: > >> No you don't. You can delegate it to the IntegrityVerifier. This is the > >> place where you should check the integrity. You will have enough > >> information there (coded in the codebase parameter), to load the code, > >> check endpoints (dns name, ip address, TLS) if wanted, check signatures, > >> certificates, checksums. > > > > Right - but it looks to me we're turning circles right now. Maybe I just > > don't understand what you're saying so let me describe a scenario that I > > would like to support: > > 1. Prerequisite - you and I are logged in to the same Kerberos realm and > > I know your kerberos principal > > 2. I got a piece of data - a marshalled object > > 3. Before I deserialize an object I want to make sure the codebase of the > > object I got is the one you wanted it to be (regardless of the contents > > of the jar file I will download later - I'm going to check its integrity > > later on) > > My take on this, is that we should lower the prerequisite, and still > have a robust implementation. We are talking about the internet are we? > How many of us share a kerberos realm?
C'mon - that's not fair :) . I've choosen kerberos to show we can (and should) support something more than PKI stuff. But make it simpler - you have a TLS certificate but you don't have code signing certificate (you know - it is much more expensive). Or your code is signed with PGP - but I don't have a PGP verifier installed. Is it possible for you to provide me with third party PGP verifier code that in turn is signed with a standard X509 certificate? > > I dont like the idea, that we allow full deserialization before we have > had a change to let the IntegrityVerifier have a look at it. But suppressing recursive readAnnotation already does that!!! Doesn't it? Michal
