Re: [GNU Crypto] Passwords Immutable?

[Casey Marshall]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Matthew" == Matthew Sackman <address@hidden> writes:

Matthew> On Mon, Apr 12, 2004 at 02:41:14PM -0700, Casey Marshall
Matthew> wrote:
>> There's also the javax.security.auth.Destroyable interface, which
>> any JVM worth it's salt should be written to respect.

Matthew> And now in 1.5 there's
Matthew> java.security.KeyStore.PasswordProtection which does
Matthew> everything that's needed. So I would simply use that and
Matthew> state that there are significant security concerns with using
Matthew> the crypto library with any JVM which doesn't implement
Matthew> version 1.5 or higher.

Ugh, using a class specific to KeyStores as a generic password class?

Double ugh, requiring proprietary software that's still in beta?

Matthew> I really don't see the point in writing code which is most
Matthew> likely to provide no additional security especially
Matthew> considering how rapid the switch to 1.5 will probably be. So
Matthew> I'd just use the PasswordProtection class if available and
Matthew> not bother if it's not.

One thing we won't do in GNU Crypto is use any feature that is not
available in GNU Classpath, and thus available in a free runtime.

In fact, I have been considering explicitly requiring GNU Classpath as
our target. That is, GNU Crypto would have to work with (at least)
libgcj and sablevm, and maybe kaffe, but it can be incompatible with
old releases of proprietary VMs. I was going to eventually post this
question to the list, but I guess I'll do it here.

- -- 
Casey Marshall || address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>

iD8DBQFAgF5bgAuWMgRGsWsRAmiGAJ450CsRI1LsLPvRABW176oOUylE0gCfaJm+
z0tUeVBUwakQo5/6QuG/Jn0=
=TXdE
-----END PGP SIGNATURE-----