Alan Montgomery wrote:
> On Thu, 29 Sep 2005 16:27:40 +0100, Johan du Plessis
> <[email protected]> wrote:
>[color=green]
>> Signing would create significant problems in our environment. We have an
>> enterprise application running on users handset. The user logs in using a
>> secure WAP site and download the installation SIS. The thing is, we
>> need to
>> package user specific information into that file - specifically RSA Keys,
>> Server login's and the like. This can simply not be done with the current
>> model.
>>
>
> As I understand things the user data can be put into a unsigned SIS
> file and can then be installed without problems. The only problem I see
> is that this information should be in a high security area such as
> your application's private directory, and this should require a signed
> SIS file.
> A solution to this is store it in a low security area in secure form
> and have your application "import" it and store a decrypted form in
> its private area.
>
>[/color]
Yup, as Alan says, this would be the recommendation.
You _can_ installe unsigned SIS files or download packaged (in your way)
data to the devie. These would go into a public area. From there you can
import and delete temp data accordingly. Since you will be distributing
keyrings (from what I gathered) these should already be encrypted (I
hope😊 which poses no further threat. Think of the process as a 2
stage download if you may.
hope that helps
/JP