[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] Java JCE 1.2.1 Spec - a danger for iaik??



Hello,

very interesting question. My thoughts:

- It's not the API that can force signed providers but the framework (the
javax.crypto
classes). Since most providers (IAIK, Cryptix, DSTC, ...) all have their
own implementation
of the framework there's no reason why these framework implementations
can't be used
anymore. Or why they can't be upgraded to the 1.2.1 API, without
implementing the signature
checks...

- And even if SUN distributes products based on JCE1.2.1, I think it would
be still possible
to replace the SUN provider + framework implementation by another one.

- BUT I think the only problem would be if the JCE would move into the core
classes: if the
javax.crypto classes become a fixed part of each Java distribution,
applications may be
obliged to use them.

I'd love to hear some critiques, remarks, ... on this,

Stef





All,

there is a new specification from SUN JCE 1.2.1 which assumes a digital
signature
accepted by SUN and the NSA for the security providers.

Does this effect iaik JCE? Or could you still use iaik JCE?

 http://www.ibiblio.org/javafaq/reports/JCE_1.2.1.html

> Berend Boll
> mailto:berend.boll@telekom.de
> http://www.berkom.de
>
--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce


--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-jce