Re: Javasoft SSL Beta

David Brownell -- JavaSoft (db@doppio)
Thu, 13 Mar 1997 10:14:19 -0800

Date: Thu, 13 Mar 1997 10:14:19 -0800
From: db@doppio (David Brownell -- JavaSoft)
Message-Id: <199703131814.KAA04286@argon.eng.sun.com>
To: java-security@java.eng.sun.com, mccoubre@direct.ca
Subject: Re: Javasoft SSL Beta

> Date: Thu, 13 Mar 1997 09:33:37 -0800
> From: Warren McCoubrey <mccoubre@direct.ca>
>
> > > In the alpha2 release, a SSL socketServer was constructed with a
> > > private-key and certificate chain. How does it get that info now ?
> >
> > Private initialization APIs accessed through SSLEndpoint. Those
> > APIs need to change. The actual execution path involves prompting
> > the user for a passphrase, using that passphrase to load data
> > into a KeyStore, and storing data from that KeyStore into the right
> > AuthContext using indices known only to the SSL package.
>
> Using SSLEndpoint implies a close coupling between SSL and the
> sun.server.* packages. I would have thought that the SSL packages would
> not have to depend on a particular server implementation, but instead
> developers could use the SSL classes with their own server framework
> (e.g. my.server.* packages). Are there any plans in the future for
> separating SSL from the web-server ?

We do intend to make that separation clean, yes. That coupling is
a temporary measure to encapsulate self-authentication: private
keys do need to be securely stored/retrieved, and we'd like to have
the solutions for webservers and for individual users be almost
identical. Alpha2 didn't securely store the keys.

> Does this mean that the X.509 certificate chain class is included in the
> Beta release of the web-server. If it is, could you please point it out.

No such public class exists. X.509 cert chains are exposed in the
form of an array of certificates, with the "leaf" at the front and
the "root" at the end. There's been discussion about wanting some
class to better encapsulate trust chain policies, but that won't
happen until the V3 support becomes available.

> > Note that (as always) sun.* APIs are not fully supported. In the
> > cases of SSL and X509 we're still working on the APIs since they're
> > not feature-complete yet. I don't know of fundamental changes needed,
> > but if you write code to either set of APIs, it will at least break when
> > the API package names change.
> >
> > - Dave
>
>
> Thanks for the info.

You're welcome ... many thanks for the useful feedback!

- Dave