Re: Chicken and Egg?

Marianne Mueller (mrm@eng.sun.com)
Tue, 11 Feb 1997 19:32:58 -0800

Date: Tue, 11 Feb 1997 19:32:58 -0800
Message-Id: <199702120332.TAA24212@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: dhboy@sb.net
Subject: Re: Chicken and Egg?

(I'm cc'ing the mailing list just so this gets archived in our Q&A
archive ...)

1. info on issuer.cert

issuer.cert

Specifies which of the issuer's certificates is to be used to sign
the certificate file, thereby authenticating the subject's public key. Its
value should be the number that javakey previously assigned to the issuer's
certificate when it generated it (or imported it). You can see which numbers
javakey assigns to certificates by viewing the output of the -ld or -li
javakey option. Note: This issuer.cert property is only required if the
certificate being generated is not self-signed. (A self-signed certificate
is one for which issuer.name equals subject.name.)

2. JDK 1.1 beta 3

Yes, the bug about ClassCastException has been fixed.

3. Which CA's will issue certs for JDK 1.1 digital signatures

Negotiations are in progress so we can't comment but we are talking
with CAs. The interesting or tricky part, depending on your
perspective, is that the Sun provider to the java.security APIs in JDK
1.1 implements digital signatures using the DSA algorithm. Most CA's
are set up to issue certs for RSA-based signatures. Of course with
X509v3 they can issue certs for a variety of implementations but they
hadn't done so to date.

> Date: Thu, 06 Feb 1997 21:23:01 +0000
> From: David Boydston <dhboy@sb.net>
> Reply-To: dhboy@sb.net
> Organization: Solutions Consulting
>
> Thanks Marianne,
>
> I did manage to get the file signed using the reference:
> http://java.sun.com/security/usingJavakey.html
>
> and I did figure out where the confusion got me.
>
> After reading several of the security .html files and looking at the
> directive example file in
> JDK1.1b3/docs/tooldocs/win32/javakey.html#CertificateGeneration
> one would assume (at least I did :) ) that the issuer and subject would
> be *different* entities. (If I always vouch for myself, the trust is
> quite meaningless)
>
> The example shows issuer.name=jsmith and subject.name=mlaunay so I'm
> asking myself "how can I get a 'trusted' certificate to create my
> certificate?"...and I downloaed Duke.X509, imported him with javakey and
> tryed to use issuer.name=Duke. This crashes javakey like this:
>
> G:\JDK1.1b3\JavaDev\SerPort\WinTerm\Applet>javakey -gc dbCert.dir
> java.lang.ClassCastException:
> at sun.security.provider.Main.generateCertificate(Main.java:802)
> at sun.security.provider.Main.generateCmd(Main.java:698)
> at sun.security.provider.Main.run(Main.java:1313)
> at sun.security.provider.Main.main(Main.java:1341)
>
> Perhaps the next release docs explain this better. (and maybe fixes the
> above ClassCastException)
>
> BTW do you know which CA's are planning to issue Certs for use with
> javakey?
> --
> Dave Boydston
> Solutions Consulting
>