-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Fry <[EMAIL PROTECTED]> writes:
> The only options I can think of are to make multiple packages, some > with signed jars and some with unsigned jars, or to provide both jars > in the same package. Note that this is not just a matter of bein > signed by the Legion of the Bouncy Castle; the certificate they use > was obtained from "the JCE Code Signing Certification Authority" > [1]. Being signed allows Java to [2]trust the jar, in accordance with > the privileges associated with the trusted signer. Hey! Maybe it'd be good if we had a Debian Certificate, isn't it?! > 1. > http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205 > 2. http://java.sun.com/j2se/1.4.2/docs/guide/extensions/spec.html#installed We can setup something to sign our jars so they all be trusted. [...] > Yeah, I filed the initial bug imagining a single package, and then > realized that there are multiple packages distributed separately by > Bouncy Castle. My first thought was to create a different package for > each signed jar they provide on their download page. Is that the right > thing to do, or should I rather create a single package that provides > all of the jars? Or should I group together the 112, 113, and 114 jars > of the same type? I don't know the difference between 1.1.2 and 1.1.3. I think nobody do use <= 1.1.2 anymore. > I've uploaded a first stab at packaging one of the jars to > mentors.debian.net, but it doesn't seem to be there yet. The package > name I uploaded is libbcprov-jdk14-java. I would love to get feedback on > it once it arrives. I'm a little busy ATM but I'll contact you if I have some time to look at the package. >> I'm not a guru in cryptography so I'd like to know the differences >> between Bouncy Castle Cryptography and Cryptix? >> >> Bouncy Castle Crypto APIs -- http://www.bouncycastle.org/ >> Cryptix -- http://www.ntua.gr/cryptix/ > > They are very similar in nature. They do, of course have different > algorithms implemented. I started using Bouncy Castle because of their > Elliptic Curve Cryptogrophy implementation (including ECDSA, > specifically). Also, "Although primarily geared towards providing > alternative encryption algorithms for J2SE, the Legion has adapted some > of its code to work with J2ME. Specifically, parts of the Bouncy Castle > lightweight cryptography API work with both the CLDC and the CDC" [3]. > > 3. http://java.sun.com/developer/J2METechTips/2001/tt1217.html Great. Do you think it's important to have Cryptix also in Debian? >> Thanks for your time and help in Debian, > > Thank you for your feedback. I hope to receive additional help as I iron > out the issues related to packaging Bouncy Castle. Sure, I'll try to help. Cheers, - -- .''`. : :' :rnaud `. `' `- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAcmHL4vzFZu62tMIRAu97AJ4qmUpQD+AZ6PM7fCucn5efrNmHbQCeMA5Y x023Ow8wuKCXr0cq6ahwF/I= =kNRD -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
