JAR: Archive Signing Scheme

Christian Eich (eich@wor.de)
Fri, 31 Jan 1997 16:00:48 +0100 (MET)

Date: Fri, 31 Jan 1997 16:00:48 +0100 (MET)
From: Christian Eich <eich@wor.de>
To: java-security@java
Subject: JAR: Archive Signing Scheme

Hello,

We are developing a home banking applet for a german bank.
Due to current security restrictions, we planned to spread an
installation disk (with a signature-checker) to prevent internet
spoofing attacks.

Based on the JAR-Archive-Signing functionality (desribed in
docs/guide/jar/manifest.html in the Java 1.1 SDK-API-Documentation) we
have the following questions:

- Is it correct, that the Java virtual machine (of the browser) checks
every class, before executin any network loaded code?
- Can I tell the browser not to execute any code, that isn't properly
signed?
- About when will such browsers (esp. Netscape Navigator and Internet
Explorer) be released?
- What is the maximum signature-key length supported in Non-US-Versions?
- or: Are signature key lengths restricted the same way like crypto keys
by US export laws?

I thank you very much for your answers.

Regards,

Christian

-------------------------------------------------------------------
! eich@wor.de che@org.chemie.uni-muenchen.de !
-------------------------------------------------------------------
! If it dogs on you, throw some more memory at it. !
! Talk to it nicely and Feed it plenty of electrons. !
------------------------------------------------ (Paul J. Mech) ---