Comments on the module-file format

Roger Riggs Roger.Riggs at Sun.COM
Fri Feb 5 05:43:38 PST 2010


Hi,

Using multiple signing formats increases the complexity all around,
the target needs to include the code to support all the formats, be 
configured
with multiple kinds of certificates, etc.; developers will need to given 
guidance
about what formats to use, and tools are needed as well.

Unless there are non-technical reasons that force multiple signing 
techniques,
a single one will be easier on the eco-system.  Requiring a single scheme
that always works with optional additional schemes would be a good start.

Roger


On 2/4/10 11:47 PM, Mark Reinhold wrote:
>> Date: Wed, 03 Feb 2010 17:34:10 -0500
>> From: sean.mullan at sun.com
>>      
>    
>> I'm still coming up to speed on jigsaw itself, but I read through the latest
>> module format and had a couple of quick comments from a security perspective.
>>      
> Thanks for reading!
>
>    
>> - are the current hashes intended to be primarily used as a checksum or are
>> they also designed as input into a subsequent signing operation? (or is that
>> TBD). The hash and the data can be replaced for example, by a man-in-the-middle
>> without detection.
>>      
> They're intended for both purposes, though right now they're used only
> for integrity checks.
>
>    
>> - as for the signature itself, one possible suggestion is to consider reusing
>> the existing PKCS#7 format that we use for JAR signatures. PKCS#7 already
>> defines a format for holding the necessary certificates and is extensible to
>> support various signature algorithms. And of course there is already PKCS#7
>> support in the JRE. PKCS#7 is also designed to support single-pass processing.
>>      
> I'm not an expert in this area, but that makes sense to me.  Are there
> other formats we should consider?  Do PGP/GPG somehow map into PKCS 7?
>
> Where should signatures reside -- in a module file, or alongside it in a
> separate file?  JAR files do the former, but some OS packaging systems
> (e.g., Debian) do the latter.
>
> If signatures go in module files then they should probably be near the
> front so that certificates can be checked before reading the entire file.
>
> - Mark
>    



More information about the jigsaw-dev mailing list