Comments on the module-file format
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Fri Feb 5 05:09:04 PST 2010
>> - as for the signature itself, one possible suggestion is to consider reusing
>> the existing PKCS#7 format that we use for JAR signatures. PKCS#7 already
>> defines a format for holding the necessary certificates and is extensible to
>> support various signature algorithms. And of course there is already PKCS#7
>> support in the JRE. PKCS#7 is also designed to support single-pass processing.
>
> I'm not an expert in this area, but that makes sense to me. Are there
> other formats we should consider? Do PGP/GPG somehow map into PKCS 7?
According to http://www.imc.org/smime-pgpmime.html:
S/MIME was originally developed by RSA Data Security, Inc. It is
based on the PKCS #7 data format for the messages, and the X.509v3
format for certificates. PKCS #7, in turn, is based on the ASN.1
DER format for data.
PGP/MIME is based on PGP, which was developed by many individuals,
some of whom have now joined together as PGP, Inc. The message and
certificate formats were created from scratch, and use simple
binary encoding. OpenPGP is also based on PGP.
>
> Where should signatures reside -- in a module file, or alongside it in a
> separate file? JAR files do the former, but some OS packaging systems
> (e.g., Debian) do the latter.
I'd like multiple signatures support so that a company can re-sign a 3rd-party module. If the signatures are not inside the module file, they would have different file names.
>
> If signatures go in module files then they should probably be near the
> front so that certificates can be checked before reading the entire file.
Yes, if a module file is always read sequentially. But, MP3 files have tags at the end, probably meant to be easy for editing.
Max
>
> - Mark
More information about the jigsaw-dev
mailing list