| Lists: | pgsql-jdbc |
|---|
| From: | "Dario V(dot) Fassi" <software(at)sistemat(dot)com(dot)ar> |
|---|---|
| To: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Availability of a Signed Version of postgresql.jar |
| Date: | 2004-07-08 18:45:17 |
| Message-ID: | 40ED963D.8090307@sistemat.com.ar |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-jdbc |
It's available a Signed Version of postgresql.jar ?
| From: | Kris Jurka <books(at)ejurka(dot)com> |
|---|---|
| To: | "Dario V(dot) Fassi" <software(at)sistemat(dot)com(dot)ar> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: Availability of a Signed Version of postgresql.jar |
| Date: | 2004-07-08 21:37:39 |
| Message-ID: | Pine.BSO.4.56.0407081631120.29683@leary.csoft.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-jdbc |
On Thu, 8 Jul 2004, Dario V. Fassi wrote:
> It's available a Signed Version of postgresql.jar ?
>
No, but why would you want one? As I understand it signed jar files are
only useful in a sandboxed environment where access to protected resources
is desired. The postgresql jar file itself is useless without an
application calling it so the application should include the
postgresql.jar file and be signed, not the pg jar file.
Further as the driver is maintained by unrelated volunteers there are
problems because no one individual is in charge of producing the jar
files and there is no certificate chain available from someone like
Verisign.
Kris Jurka
| From: | "Dario V(dot) Fassi" <software(at)sistemat(dot)com(dot)ar> |
|---|---|
| To: | Kris Jurka <books(at)ejurka(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: Availability of a Signed Version of postgresql.jar |
| Date: | 2004-07-08 23:58:42 |
| Message-ID: | 40EDDFB2.9010609@sistemat.com.ar |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-jdbc |
For "Trusted Java applications" and "J2EE Client applications" , any
jar deployed with (or part of) the application must be signed.
For JavaWebStart applications , if you need to deploy the postgresql.jar
as a component of the application , then must be signed, otherwise all
the application is considered "Not trusted".
Of course , anyone can sign postgresql.jar with their own certificate
(or self signed certificate), but how in JavaWebStart the certificate
is presented to the user for acceptance , will be better if the
certificate belong to the official organization.
If the development group don't have a real certificate , since the
development group is a non-profit organization, I think that Verising or
any other certification authority can donate one.
Kris Jurka wrote:
>On Thu, 8 Jul 2004, Dario V. Fassi wrote:
>
>
>
>>It's available a Signed Version of postgresql.jar ?
>>
>>
>>
>
>No, but why would you want one? As I understand it signed jar files are
>only useful in a sandboxed environment where access to protected resources
>is desired. The postgresql jar file itself is useless without an
>application calling it so the application should include the
>postgresql.jar file and be signed, not the pg jar file.
>
>Further as the driver is maintained by unrelated volunteers there are
>problems because no one individual is in charge of producing the jar
>files and there is no certificate chain available from someone like
>Verisign.
>
>Kris Jurka
>
>
>
>
--
Dario V. Fassi
SISTEMATICA ingenieria de software srl
<http://www.sistemat.com.ar>Ituzaingo 1628 (2000) Rosario, Santa Fe,
Argentina.
Tel / Fax: +54 (341) 485.1432 / 485.1353
| From: | Kris Jurka <books(at)ejurka(dot)com> |
|---|---|
| To: | "Dario V(dot) Fassi" <software(at)sistemat(dot)com(dot)ar> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: Availability of a Signed Version of postgresql.jar |
| Date: | 2004-07-09 01:41:58 |
| Message-ID: | Pine.BSO.4.56.0407082031240.16961@leary.csoft.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-jdbc |
On Thu, 8 Jul 2004, Dario V. Fassi wrote:
> Of course , anyone can sign postgresql.jar with their own certificate
> (or self signed certificate), but how in JavaWebStart the certificate
> is presented to the user for acceptance , will be better if the
> certificate belong to the official organization.
This makes sense, but isn't exactly an item that anyone else has been
begging for. Does it matter which developer signs it? Does it need to be
the same one every time? If yes, then we don't have that infrastructure
available at the moment and I don't see how to build it given the
looseness of our organization. If no, then why not just sign it yourself.
I guess I just fail to see the point of self signing.
> If the development group don't have a real certificate , since the
> development group is a non-profit organization, I think that Verising or
> any other certification authority can donate one.
I'll believe that when I see it.
Kris Jurka
| From: | "Chris Smith" <cdsmith(at)twu(dot)net> |
|---|---|
| To: | "Kris Jurka" <books(at)ejurka(dot)com>, "Dario V(dot) Fassi" <software(at)sistemat(dot)com(dot)ar> |
| Cc: | <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Availability of a Signed Version of postgresql.jar |
| Date: | 2004-07-09 02:08:49 |
| Message-ID: | 036301c46559$af402d90$6f00000a@KYA |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-jdbc |
Kris Jurka wrote:
> This makes sense, but isn't exactly an item that anyone else has been
> begging for. Does it matter which developer signs it? Does it need
> to be the same one every time? If yes, then we don't have that
> infrastructure available at the moment and I don't see how to build
> it given the looseness of our organization. If no, then why not just
> sign it yourself. I guess I just fail to see the point of self
> signing.
One use of code-signing is to prevent the distribution of "fake" versions of
code. *IF* the person using the code properly and conscientiously verifies
the signature on the code, then they can be sure that the signer signed the
exact copy they've received. This protects against an attack whereby a web or
ftp server is compromised and people download versions of the driver with
trojan horses embedded... or even just where a trojan horse is distributed by
"back" channels aside from the web site.
For this purpose, any relatively trusted person who contributes to PostgreSQL
could grab the code, audit it for trojan horses, and then sign it. The signed
version would prevent replacing the driver with an obvious trojan horse.
Nevertheless, since the code isn't really developed in a controlled "private"
environment to begin with, the signature would only mean that there aren't
obvious flaws. In essense, it's no harder to postulate that someone
compromises the CVS server as that someone compromises a web or ftp server, so
some of the point is lost.
--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.
Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation