From: Michael Kirk <mkirk@cisco.com>
Message-Id: <199703040647.RAA12649@metaplex-ss10.cisco.com>
Subject: Re: Do you have a X509 implementation ?
To: mrm@Eng
Date: Tue, 4 Mar 97 17:47:13 EST
In-Reply-To: <199703040629.WAA06954@puffin.eng.sun.com>; from "Marianne Mueller" at Mar 3, 97 10:29 pm
>
>
> > From: Michael Kirk <mkirk@cisco.com>
> > Date: Wed, 26 Feb 97 16:55:02 EST
> >
> > In your document "Security in JDK 1.1" there is a reference to
> > sun.security subpackages which include classes to handle x.509
> > certificates. Firstly, where might I find these classes and the
> > documentation necessary to use them. And secondly, are these
> > classes likely to become part core java classes at any stage ?
>
> Pardon me if I've forgotten if this question was answered yet or not ...
>
> The sun.security subpackages in JDK 1.1 aren't supported.
Does this mean they're unavailable independent of the JDK ?
I would like to use them...
> We will have support for X509v3 in JDK 1.2.
>
Is there any estimates as to when 1.2 might hit the streets ?
Thanks,
Michael
> Here are answers to some common questions about the X509V3 project.
>
> --
>
> Summary:
>
> * JDK 1.1 has the basic technology for digital signatures
>
> * Future releases (JDK 1.2 and beyond) will have enhanced
> support for X509v3 certificate management, both generating
> and requesting
>
> * Future releases (JDK 1.2 and beyond) will have support
> for flexible security policies and finer-grain policies
>
>
> --> 1) javakey uses X.509v1 certificates and other browsers
> --> support v3. How does this work together? Are there
> --> any problems?
> -->
>
> X.509v3 is a superset of X.509v1, so if browsers have support
> for X.509v3 they automatically support X.509v1. There should
> be no problems.
>
> --> 2) Why was it decided to go with v1 instead of v3?
> -->
>
> X.509v3 was finalized in June of 1996. The major enhancement is the
> support for extensions. Now almost any arbitrary data can be embedded
> in the certificate and marked for criticality during verification. So
> for example, one of the extensions defined is AltNames. The Subject
> Distinguished Name is not too user friendly but suppose you use the
> AltName extension and mark it as CRITICAL then you have the capability
> of using alternate name forms such as email addresses.
>
> This also needs a profile (i.e. a minimum set of extensions that have
> to be supported). A number of profiles have come into existence but
> none are in a committed form yet. SO, we had to wait until things
> settled, we are now ready to support X.509v3 and the IETF pkix and
> ANSI X9.57 profiles.
>
>
> --> 3) What are the differences between v1 and v3?
> --> Found the following in the JDK1.1 documentation. If you
> --> have a URL to more info, I'd appreciate it.
>
>
> The problem is that the X.509 specification is a CCITT spec. and as
> such not freely available. You should look at the IETF PKIX working
> group internet drafts.
> (ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part1-03.txt).
>
>
> -->
> --> 4) What is the roadmap for javakey?
>
> We will be adding support for X.509v3 in jdk1.2. The profiles
> we will support are as mentioned above.
>
>
>
>