(last updated 2007-10-16) MIME media type name : Application MIME subtype name : Vendor Tree - vnd.joost.joda-archive Required parameters : none Optional parameters : none Encoding considerations : binary This media type may require encoding on transports not capable of handling binary. Security considerations : A Joost Open Distribution Archive (JODA) contains an extension for the Joost Application which is integrated within the application. The JODA may contain javascript which is executed in a sand boxed environment. They can be conceptualized as 'any web page or web-widget with some javascript' running inside the Joost Application. As such there are significant security considerations. These are addressed by: - Digital signatures. Joda archives may be signed (See http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html for the technology used) or must be signed - depending on sandbox restrictions. Signatures are only issued to identified parties after an agreement is reached. Depending on the level this agreement includes mandatory privacy, eula and terms of service limitations. - The digital keys used for signatures are (to be) issued by a sandbox recognized certificate authority. Normal x509 based CRL's, expiry and similar control technology applies. - The digital signature also prevents tampering with the joda. - As the contents of JODA's are public - there are no requirements for ensuring that the JODA its content is protected in any way. - Any executable components are ran in a sandbox-ed environment within the application. The user has configuration options allow him or her to further pair down these restrictions, independent of certification level. - Depending on the degree of vetting; the digital signature indicates to what level certain sandbox restrictions may be lifted after which the sandbox may, with the users permission, allow access to information outside the sandbox associated with the user (e.g. his unique ID) and other environmental information. - Depending on the degree of vetting and communication allowed - the sandbox may enforce/allow client-side x509 certificate authenticate https connections with the outside world to servers with a x509 certificate issued by a recognized authority. Any such (secret) keys or other private digital artifacts are not part of, or accessible to, the JODA but are kept outside it's sandbox and distributed/created by another (secure) path. Interoperability considerations : Platform neutral. Published specification : The Joost(tm) Open Distribution Archive (JODA) version 1.00 details the semantics (see the developer section on the website: http://dev.joost.com); while http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html in essence describes the binary encoding (ZIP) and digital signature procedures). Applications which use this media : Use within software distributed by Joost Operations S.A. Additional information : 1. Magic number(s) : PK\003\004 2. File extension(s) : joda 3. Macintosh file type code : JODA 4. Object Identifiers: enterprise.27305.1.2.1 See the developer section on http://dev.joost.com/ for more information. Intended usage : Common Distribution of 'widgets'. Author/Change controller: Joost Technologies B.V. Schipholweg 101 T 2316 XC Leiden The Netherlands mailto:joda&joost.com http://dev.joost.com (file created 2007-10-16)