Java cryptography and free distributions
Posted Mar 15, 2007 17:25 UTC (Thu) by iabervon
Parent article: Java cryptography and free distributions
It should be fine to have the JVM use a set of public keys from a configuration file alongside the JVM binary (as far as security, if someone can replace the keys, they could just replace the JVM binary), and the Sun distribution could distribute Sun public keys (as "mere aggregation"), and the installer could put the Sun keys in the location where they'll be used. Anybody else who wanted to distribute Java, and who wanted to be able to sign security modules, could include their public keys.
I don't see any problem with the idea that, if you want to use JSS from Fedora, you need to have a JVM from Fedora, or at least have the Fedora package manager reconfigure the JVM you're using after it's installed. It seems like the obvious Free Software and public key interaction is this: for all public keys that go into a system, the end user needs to either have the private key, or needs to be able to replace the public key, in the copy that user will use, with a public key that the user does have the private key for. This gives the end user two important abilities: be trusted by the software, and cause the software to trust a selected other person. (I would go so far as to say that it would be "not free" to make it legally impossible for the end user to decide to trust Sun without having Sun's private key.)
to post comments)