> > The only options I can think of are to make multiple packages, some > > with signed jars and some with unsigned jars, or to provide both > > jars in the same package. Note that this is not just a matter of > > bein signed by the Legion of the Bouncy Castle; the certificate they > > use was obtained from "the JCE Code Signing Certification Authority" > > [1]. Being signed allows Java to [2]trust the jar, in accordance > > with the privileges associated with the trusted signer. > > Hey! Maybe it'd be good if we had a Debian Certificate, isn't it?! > > > 1. > > http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205 > > 2. http://java.sun.com/j2se/1.4.2/docs/guide/extensions/spec.html#installed > > We can setup something to sign our jars so they all be trusted.
Man, great idea! For some reason I never even thought about that possibility. If ever packages were created for other crypto providers, we could use it to sign them as well. Who would be the right person to pursue this possibility? To start with I will create some initial packages that do not contain signed jars, with the expectation that we will eventually find a way to sign them. > > I've uploaded a first stab at packaging one of the jars to > > mentors.debian.net, but it doesn't seem to be there yet. The package > > name I uploaded is libbcprov-jdk14-java. I would love to get > > feedback on it once it arrives. There was an error in my initial upload which has been fixed. However the current upload includes the signed jars. I will send out another email when I upload the new version(s) without signed jars. > Great. Do you think it's important to have Cryptix also in Debian? I may be the wrong person to ask about this, but in my judgement it is not crucial. In most cases, a single crypto provider is sufficient. That said, it doesn't hurt to give people more choice. I guess I just don't see sufficient gain to justify taking the time myself to package it. My limited experience in this area is in the Computer Security group at Carnegie Mellon University. Everyone I know here who does security research in Java uses Bouncy Castle. I don't know anyone who uses Cryptix. Of course that is a tiny sample set, and I am confident that there are plenty of people who use and even prefer Cryptix, although I couldn't speak them or for the reasons why. Charles -- Speed Was high Weather was not Tires were thin X marks the spot Burma-Shave http://frogcircus.org/burmashave/1948/speed
