Java开发网 Java开发网
注册 | 登录 | 帮助 | 搜索 | 排行榜 | 发帖统计  

您没有登录

» Java开发网 » Java Security  

按打印兼容模式打印这个话题 打印话题    把这个话题寄给朋友 寄给朋友    该主题的所有更新都将Email到你的邮箱 订阅主题
flat modethreaded modego to previous topicgo to next topicgo to back
作者 关于数字签名的迷惑!
feiggle





发贴: 70
积分: 20
于 2003-04-08 11:42 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
对公钥和私钥的理解一直自己不敢确定,写出来,希望大家能批评指正!

就数字签名来说,它的目的在于让用户信任已经被软件提供商所提供的软件,
并保证在这个发放的途中,代码没有被第三方改过。也就是对客户而言,我要
相信软件提供商,对软件提供商提供商而言,保证第三方没有改过我的代码,还是两个角色信任的问题。
我现在的困惑是:我用私钥对一个jar包进行签名后,我如何发放我的公钥,通用的途径有几种?难道我把公钥做成证书,一个一个发给用户吗?是不是通过
权威认证机构在把我的公钥再作一次签名,发放给用户?如何解决?
我做的应用是b/s的,对数字签名过的jar包,我如何把对应的公钥发放给客户端?


作者 Re:关于数字签名的迷惑! [Re:feiggle]
menzy



版主


发贴: 754
积分: 113
于 2003-04-08 14:14 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
CA向服务商提供的Cert,同时维护一个LDAP证书列表和废弃证书列表。
如果服务商生产APPLET并利用Cert进行签名,客户端再使用的时候,就会出现一个提示,显示Cert信息。
其实这中间涉及一个验证过程,需要同CA的LDAP服务器进行通讯,验证Cert的有效性。
参见
http://apollon.ulis.ac.jp/opt/jdk1.2-docs/docs/zh/guide/security/spec/security-specTOC.fm.html


作者 做成证书分发行吗? [Re:feiggle]
feiggle





发贴: 70
积分: 20
于 2003-04-09 09:30 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
不用LDAP,有没有简单的途径,做成证书分发吗?


作者 Re:关于数字签名的迷惑! [Re:feiggle]
menzy



版主


发贴: 754
积分: 113
于 2003-04-09 16:45 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
如果不用LDAP,那么需要服务器提供证书列表,这样可以验证客户端证书的有效性。
另外,可能通过证书链实现,具体步骤我不知道。目前我们可能采用的证书系统,都是需要第三方提供LDAP,不然就达不到使用证书的目的、


作者 Re:关于数字签名的迷惑! [Re:feiggle]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-04-10 03:40 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
When you run your applet in a browser, the browser's java plug-in will prompt you whether you trust the cert(used to sign the applet). You don't need to give to users of your applet, it's already in the jar file and the browser will extract the info in the cert and show to users.

A lot of things, you have to try it, assuming people are smart enough to make things simple.

However, there is a catch. You have to push the CA cert of your cert into user's browser if it's not there. Most of the commercial CA certs are already in the browsers(out of box installation), unless you want to create your own ca cert(using like openssl) because you want to save some dollars.

Finally, you don't need to worry about LDAP, I think. There are several cases you need to do so, but not in your case. As long as users accept your cert in the browsers, the applet will start to run. They don't care whether your cert is valid or not, check against RCL to see whether your certs is revoked or not(You can install some 3rd party tools to do so); and users won't care the fields in your cert either.

However, you need to make sure your cert doesn't have an expire date(normally, cert has 365 days of validation, after that, you need to renew it). Browsers will still display your info, but users could have some doubt(I always reject expired cert no matter what).

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code

flat modethreaded modego to previous topicgo to next topicgo to back
  已读帖子
  新的帖子
  被删除的帖子
Jump to the top of page

   Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent
Copyright © 2002-2021 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号-1
客服电话 18559299278    客服信箱 714923@qq.com    客服QQ 714923