Menu
▾
▴
cryptix-users
|
From: Tim O. <ti...@or...> - 2009-07-01 17:02:14
|
I am using cryptix-jce and cryptix-openpgp in an application. The certificate that signed the cryptix-jce-provider jar expires on 28 Aug 2009. We will all either need: 1 - A new build, signed with a newer key. 2 - A new JCE implementation that doesn't require signed jars. 3 - A new package to use. Are others aware of this impending date and what are your plans? Tim Orbaker |
|
From: <Gre...@ri...> - 2009-07-02 23:42:51
|
Hello Tim, We also use cryptix-jce-provider jar for our open pgp encryption/decryption. As a test I set the date on our dev box to be 2010 and ran the unit tests where they passed, ie encrypted/decrypted messages OK. As a matter of interest, where would this certificate date be used? Cheers Greg Tim Orbaker <ti...@or...> 01/07/2009 18:03 To cry...@li... cc Subject [Cryptix-users] Impending certificate expiration I am using cryptix-jce and cryptix-openpgp in an application. The certificate that signed the cryptix-jce-provider jar expires on 28 Aug 2009. We will all either need: 1 - A new build, signed with a newer key. 2 - A new JCE implementation that doesn't require signed jars. 3 - A new package to use. Are others aware of this impending date and what are your plans? Tim Orbaker ------------------------------------------------------------------------------ _______________________________________________ Cryptix-Users mailing list Cry...@li... https://lists.sourceforge.net/lists/listinfo/cryptix-users Share our environment commitment - conserve resources and contribute to the reduction of CO2 emissions by not printing the email unless absolutely necessary to do so. Any opinions expressed are those of the author, not Ricoh UK Ltd. This communication does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. It is the responsibility of the recipient to ensure this email and attachments are free from computer viruses before use and the sender accepts no responsibility or liability for any such computer viruses. Ricoh UK Ltd. may monitor the content of emails sent and received via its network for the purpose of ensuring compliance with its policies and procedures. This communication contains information, which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this communication in error, please notify the sender immediately by return email with a copy to pos...@ri... . Please contact us on +44 (0) 208 261 4000 if you need assistance. Registered in England No: 473236 VAT No: GB524161280 |
|
From: Edwin W. <ed...@wo...> - 2009-07-04 18:58:53
|
> I am using cryptix-jce and cryptix-openpgp in an application. The > certificate that signed the cryptix-jce-provider jar expires on 28 > Aug 2009. > > We will all either need: > > 1 - A new build, signed with a newer key. The Cryptix Foundation ltd is the owner of the certificate, but that organisation was dissolved a few years ago. While the private key is still (somewhere) in my possession, the foundation cannot get that certificate renewed anymore. So unless there is some other way for me to obtain a new certificate, there will be no new build. > 2 - A new JCE implementation that doesn't require signed jars. > 3 - A new package to use. Switching to Bouncycastle may be an option, but as the API is different that requires some work. Alternatively you or your organization could try to get your own code signing key and use it to create your own 'custom' version of the Cryptix JCE. Instructions are on the following page: http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61 I'm very interested in the results. Edwin |
|
From: Gianni <gia...@gm...> - 2009-07-06 21:25:24
|
Hi all, we are currently using the Cryptix-JCE implementation and we have tried in a development box to set a system date past to Aug the 29th, 2009. We have experimented that the environment starts and runs as usual. I think (actually, I hope) that this is the expected and correct behaviour, after reading from the Sun forum where they say: “The validation code which checked for certificate expiration was only found in JCE 1.2.1. It WAS REMOVED from JCE 1.2.2 and all successive releases like JCE in JDK 1.4.x and 5.x (and soon in 6.x). This expiration problem was the primary reason for releasing JCE 1.2.2 over three years ago. Export control regulations changed following the release of JCE 1.2.1, and Sun released 1.2.2 shortly thereafter so that customers wouldn't have this expiration problem. This change is documented as the first bullet in the change log for JCE 1.2.2, which is found both in the product distribution itself and on the following JCE product page: http://java.sun.com/products/jce/jce122_changes.html. That said, JCE 1.2.2 is indeed signed with a certificate which is valid until October 2006, HOWEVER the JCE 1.2.2 and JCE in JDK 1.4.x/5.x code no longer checks that expiration date. All it cares about is that the code signature is valid”. (Refer to: http://forums.sun.com/thread.jspa?threadID=678679&tstart=2506). As suggested in http://forums.sun.com/thread.jspa?threadID=716308&tstart=2235, I’ve also tried the command: “jarsigner -verify -certs -verbose cryptix-jce-provider.jar” and in both cases (real current date and faked date) the jar (and the single classes) is verified. Only the final warnings are different. Current date: jar verified. - Warning: This jar contains entries whose signer certificate will expire within six months. Faked date: jar verified. - Warning: This jar contains entries whose signer certificate has expired. (Similarly for each class we had "[certificate will expire on 8/29/09 12:04 AM]" in the case of current date and "[certificate expired on 8/29/09 12:04 AM]" in the case of the faked date). As a matter of comparison to the real word it is reasanable to think that a signed hand written paper document is still valid even after years and even after the signer’s death. At the same time I think that it is correct to assume that a digitally signed document (or file, a jar in this case) is still integer/verified even after that the signing certificate (actually its corresponding private key) is expired. Of course it is correct (for security reasons) that a signing key (and certificate) expires after a certain period of time, but the signatures of documents signed with that key should “survive” to it. Best regards and apologizes for the long post Gianni Polidoro Edwin Woudt ha scritto: >> I am using cryptix-jce and cryptix-openpgp in an application. The >> certificate that signed the cryptix-jce-provider jar expires on 28 >> Aug 2009. >> >> We will all either need: >> >> 1 - A new build, signed with a newer key. >> > > The Cryptix Foundation ltd is the owner of the certificate, but that > organisation was dissolved a few years ago. While the private key is > still (somewhere) in my possession, the foundation cannot get that > certificate renewed anymore. > > So unless there is some other way for me to obtain a new certificate, > there will be no new build. > > > >> 2 - A new JCE implementation that doesn't require signed jars. >> 3 - A new package to use. >> > > Switching to Bouncycastle may be an option, but as the API is > different that requires some work. > > Alternatively you or your organization could try to get your own code > signing key and use it to create your own 'custom' version of the > Cryptix JCE. Instructions are on the following page: > > http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61 > > I'm very interested in the results. > > > Edwin > > > ------------------------------------------------------------------------------ > _______________________________________________ > Cryptix-Users mailing list > Cry...@li... > https://lists.sourceforge.net/lists/listinfo/cryptix-users > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X