[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Java Crypto API questions
Jim Bell writes:
>>-- Problem with foreign applet vendors: how can a non-US security
>> class vendor certify a class to be used (outside the US).
>> Currently, it must be imported and signed by Sun. But, then
>> it can't be exported without a Commerce Department license.
>> No (current) plans to establish a signing authority outside
>> of the U.S.
>
>We've heard this assertion before. Why not import the software, generate a
>detachable signature, and then export the signature for re-attachment overseas?
>
I suspect (but don't have any direct knowledge) that strong crypto
classes are distributed after encryption by Sun's private key. The
corresponding public key is enbedded in the Java Class Loader and/or
virtual machine (or the security framework class -- I'm only speculating
here).
This means that "rogue" encryptors can't work under Sun's security
manager as they will be rejected as "unloadable"
Martin Minow
[email protected]