JDK 1.2, please provide SSL interfaces and "force" :-) browser vendors to provide implementations

George Chung (gchung@openhorizon.com)
Wed, 19 Nov 1997 13:53:40 -0800

Message-Id: <199711192155.NAA29746@openhorizon.com>
From: "George Chung" <gchung@openhorizon.com>
To: <java-security@javasoft.com>
Subject: JDK 1.2, please provide SSL interfaces and "force" :-) browser vendors to provide implementations
Date: Wed, 19 Nov 1997 13:53:40 -0800

Dear Sir/Madam,
Two requests...

1. Doesn't it seem reasonable to have the browser vendors who license Java
provide an implementation of an SSL socket? After all, they expose SSL
functionality at a high level through URLConnection. Otherwise, if my applet
needs a client side SSL socket, the applet will have to be packaged with a
commercial Java SSL package which would add considerably to the size of the
download. Seeing that one of the hallmarks of Java is security, my humble
opinion is that security (in this case client side SSL sockets) should be
easily available to an applet and minimum expense (download time and
licensing).

2. Provided that point 1 is a reasonable request, then it would be logical
for JavaSoft to provide standard SSL interfaces. Why?

If the browser vendors expose SSL functionality by providing a subclass of
Socket, say SSLSocket, I need a portable way of configuring that SSLSocket
whether I'm inside a Netscape browser or an IE browser.

In other words I need a portable way of creating certificate chains (if the
client needs to be authenticated), creating an ordered list of desired
cipher suites, verifying the certificate chain sent by the server, etc.

Otherwise I have to write a lot of conditional code depending on what
SSLSocket implementation I'm using.

Am I way off base? What would be the issues (technical and legal) that
prevent such an environment?

Regards,
George Chung
Open Horizon, Inc.