Re: But what does that get me...?

Marianne Mueller (Marianne.Mueller@Eng)
Thu, 4 Jun 1998 15:29:39 -0700 (PDT)

Date: Thu, 4 Jun 1998 15:29:39 -0700 (PDT)
From: Marianne Mueller <Marianne.Mueller@Eng>
Subject: Re: But what does that get me...?
To: java-security@web2.javasoft.com, felts@subrosa.com

Signed code (or digital signatures in general) get you two things:

1) authentication -- you know for sure where the code came from or who
published it

2) integrity -- you know for sure that the bits you are using are 100% the
same bits that the publisher wanted you to use

If anyone changes the file (changes any of the bits), the verification of
the digital signature will fail.

Other Java technologies for encryption are JCE (cryptographic extension,
requires JDK 1.2) and SSL (bundled with the Java Web Server and HotJava
Browser -- provides an encrypted communication channel between two parties
on the internet.)

Security is not limited to crypto features - the Java security model
relies on safety features in the Java language (no pointers, type safety,
bounds-checked arrays, immutable strings, ...), safety features at the
VM (virtual machine == interpreter) layer, such as classloader and verifier,
and safety features at the application layer, that is, a security policy
enforced by the SecurityManager.

Java security: http://java.sun.com/security
http://java.sun.com/sfaq

JCE: http://java.sun.com/products/jdk/1.2/jce/

New features
in JDK 1.2:
http://java.sun.com/products/jdk/1.2/docs/guide/security/index.html

If you're interested in cryptography, a good reference book is
Bruce Schneier's "Applied Cryptography." He has a web page
at www.counterpane.com.