Re: [Jpwsafe-devel] Update...

[David <ro...@us...>]

<repost, originally sent directly to Mike>

Hi Mike, 

to me your extension looks good and well done. Great stuff! We might
attract quite a little following with S3 support. :-))

Some comments: (also see on your mail at the end) 

* Better not use Blowfish on CryptoStreams, the V3 format uses Twofish,
which is one of the reasons why it was created (see PwsFileV3).
I guess you just expected it to work like V1 / V2... 

* when I ran an ant build I got compile erros because of Base64: 
I suppose your import of a sun internal base64 class was accidental, I
changed it to the s3 Version. By the way, running the ant build (all)
for the lib project is also a good test case - try it ;-)

* I also fixed a possible bug in FileConverter, just imagine a filename
like /tmp/safefile.ps3

* Please replace the system out with log entries in the final code.

* S3 Licence: where is the s3 jar from? Is its licence compatible with
the artistic licence 2 of jpwsafe? Is it the JetS3t lib?

* New sources: I'm note sure whether you know, but the copyright for all
jpwsafe sources is  held by the project lead (at the moment: me) in
order to keep things simple. That's what the source code header states
- I hope that's ok with you.

Am Sonntag, den 25.01.2009, 10:20 -0500 schrieb Michael Tiller:
> I've worked a fair amount on polishing the S3 stuff and it is in
> pretty good shape now.  I've written several tests (and re-orged them
> as well).  The S3 information is now stored directly in an encrypted
> file (using the same passphrase as the data stored on S3).
Using the same passphrase is sensible. 

> There is a one time only need to enter the access key and secret key
> for S3 whenever creating a new S3 storage location.  This can be done
> two ways.  First, it could be added to the SWT UI (it would have to
> prompt the user for the access key, secret key and desired bucket name
> whenever creating a new ".ps3" file).  The alternative is to have a
> separate UI just for generating the initial ".ps3" file (let me know
> if you want a different extension).
I certainly prefer to include it in the UI login screen. After merging,
I suggest something like an "open other online safe" button on the login
screen. Known online safes can simply be listed together with file based
ones. Creating a new one can be part of the (future) password safe
creation wizard.

> Is it OK to go ahead and add ".ps3" (or whatever is agreed upon) as a
> valid file extension in the UI?
The .ps3 extension is reserved for postscript level 3 files. What
about .psafes3 ? Or .pws3 ?

> P.S. - I'm trying to apply for a group S3 account.  The problem is
> that it requires a credit card.  I'm in the process of getting a
> prepaid $20 gift card generated and I'll use that to start the S3
> account.  $20 should be more than enough to support the tiny amount of
> storage and bandwidth that testing would require.  Needless to say,
> don't store too much data in there or run the tests unnecessarily.  If
> the charges after the first month are too high, we'll look at how to
> reduce it but I'm not worried.
Great! I'm really looking forward to try it out. 

Tell if you're done with the lib changes, then I can merge the branch
into trunk. We shouldn't wait too long. Next thing I want to do is
to  externalise strings, I would prefer to start that after the merge.

Future Direction: I think it should be just as easy to add a webdav
based online safe, as it's basically another https transport? 

Maybe I found a hint for the classnotfound exception on startup - it
happened to me too on the S3 branch. Adding xercesimpl to the build path
fixed it. But I can't reploduce it...

Now nobody will stop us from world domination >:->

Cheers,
David