Sponsored Link •
Bob Scheifler: Now I have to worry whether I can trust the verifier I get from you. I must make sure some third party can't corrupt the verifier when you send it to me. This is where the object integrity mechanisms come into play. I must use object integrity in the process of making this one call to you to ask you for a verifier. I must make sure that both the data for the verifier you send me and any code I might download is actually the data and code you sent.
As part of this call therefore, I require you to authenticate and require that the communication have full object integrity. This way I know that the verifier I get back is, in fact, the verifier you intended to send. As a result of that call, then, I have a verifier object I know I can trust. I know I got the verifier object from you, and I know I got it intact. Now I can pass the suspect proxy object to the verifier and ask, "Verifier, do you trust this proxy object?"
The verifier can check code and data. It can leave pieces out if they are irrelevant. The verifier can do the necessary checking to decide that the suspect proxy is in fact a trustworthy proxy for you the service implementer.
Then the chain is complete. I know I have talked to you. I know you sent me a verifier I can trust. And I know you said you trust the proxy. Since I trust you for the purposes of performing operations on the service, then I should trust you to the same degree when you say that I should trust the proxy.
Bill Venners: Why do you use a verifier object rather than pass the suspect proxy directly to the bootstrap proxy?
Bob Scheifler: I don't send the proxy to you because of the way marshaling works. If I just simply ask this evil object to serialize itself, it could serialize itself into a form that is perfectly reasonable on your side but that would still be evil on my side. I have to make sure I really verify the object I will use, not some arbitrary representation of it. So the verification has to take place in my VM.
Bill Venners: What kinds of things might a verifier do to check the suspect proxy?
Bob Scheifler: That depends on the complexity your object. Let's start with a simple
case. You hand out the same immutable proxy object to everybody. It
has a code base that's a JAR file. A simple verifier contains a copy of
the immutable proxy object and does an equality check against the
suspect proxy with
.equals. You call
.equals on the expected proxy, the one contained inside
the verifier, passing it the suspect proxy. You write
.equals so that it recursively checks for data and class
equality on all the objects in the graph, and you're done.