Re: JCE and SSL

David Brownell (db@Eng)
Tue, 15 Sep 1998 11:08:07 -0700

Morten Helles wrote:
>
> Hi!
>
> I am writing a master thesis on Java Security, including JSA and
> JCA/JCE. Reading Scott Oaks book' "Java Security" I noticed that Sun has
> implemented Java-classes for SSL-support (namely the SSLSocket and
> SSLServerSocket classes), yet they are not part of the JCE?

No, since (as Jeff noted) you can't do "cryptography" with SSL.

> Any reasons
> for this?

JCE and SSL both _use_ cryptographic algorithms, but since they
are exposed by JCE there is a strongly different set of export
regulations that apply. I'll leave the details to other sources,
and just state the conclusion that an SSL API is exportable, but
not an API that permits you to transform plaintext to ciphertext
and back again.

What this means from the perspective of product management is
that SSL and JCE must be separate APIs, implementations, etc.

> Has Netscape patented the SSL-technology?

There's a patent that could affect APIs, but Netscape has said
they won't enforce it (IETF rules affect this).

- Dave

> Kind regards,
>
> Morten Helles
> -- Department of Computer Science, University of Copenhagen.