The Artima Developer Community
Sponsored Link

Object Integrity
A Conversation with Bob Scheifler, Part III
by Bill Venners
July 22, 2002

<<  Page 2 of 5  >>


Using HTTPS URLs for Integrity

One possible way to get integrity for downloaded code is to use HTTPS URLs. You are a service, and you send me a proxy that has classes annotated with an HTTPS URL. That will guarantee integrity because you sent me an HTTPS URL, and you sent it in-band. The URL itself has normal data integrity, so I get the URL you thought you sent.

HTTPS gives me server authentication along with confidentiality and integrity. I will require the HTTP server to authenticate under the host's identity. The actual transfer of the JAR file will have, in fact, both encryption and guaranteed integrity. If you annotate your classes with an HTTPS URL, then I know I will get the classes you expected.

One possible way to ensure object integrity is to say everybody should use HTTPS URLs for their code bases. But that has some disadvantages. One is that you have to set up public key certificates for your HTTP server to authenticate as the host. If I am just a vanilla user I need to get somebody to generate host certificates for which they are willing to give me private keys. That may be a problem. Another problem is that I get encryption of the code even though I don't care about encryption. I don't care about keeping it private because I will probably serve it up to anybody who asks. I don't want to keep the code private. I just want to make sure it has integrity.

<<  Page 2 of 5  >>

Copyright © 1996-2018 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use