Trusted clients in Java: possible?
My question is not about whether a client should trust authenticity of a Java application, but rather a reverse problem:
- client is written in Java and is run on customer's computer
- client communicates with server, and it is the server who needs to know whether client's code is intact, since server accepts data that it can not easily (or at all) verify
From my discussions, many folks would plainly say it is not possible. But, without necessarily understanding too much about the possible combination or parts of it, I tend to still think that a combination of the following features should make it possible:
- Java classloader and concept of "sealed" JARs
Is that enough? If not, what would need to be added? Is this really an impossible task?
If Java platform itself is compromised, then I'd guess nothing would help. OK then, can Java runtime's authenticity be verified somehow too?