Date: Mon, 3 Mar 1997 22:29:23 -0800
Message-Id: <199703040629.WAA06954@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: mkirk@cisco.com
Subject: Re: Do you have a X509 implementation ?
> From: Michael Kirk <mkirk@cisco.com>
> Date: Wed, 26 Feb 97 16:55:02 EST
>
> In your document "Security in JDK 1.1" there is a reference to
> sun.security subpackages which include classes to handle x.509
> certificates. Firstly, where might I find these classes and the
> documentation necessary to use them. And secondly, are these
> classes likely to become part core java classes at any stage ?
Pardon me if I've forgotten if this question was answered yet or not ...
The sun.security subpackages in JDK 1.1 aren't supported.
We will have support for X509v3 in JDK 1.2.
Here are answers to some common questions about the X509V3 project.
--Summary:
* JDK 1.1 has the basic technology for digital signatures
* Future releases (JDK 1.2 and beyond) will have enhanced support for X509v3 certificate management, both generating and requesting
* Future releases (JDK 1.2 and beyond) will have support for flexible security policies and finer-grain policies
--> 1) javakey uses X.509v1 certificates and other browsers --> support v3. How does this work together? Are there --> any problems? -->
X.509v3 is a superset of X.509v1, so if browsers have support for X.509v3 they automatically support X.509v1. There should be no problems.
--> 2) Why was it decided to go with v1 instead of v3? -->
X.509v3 was finalized in June of 1996. The major enhancement is the support for extensions. Now almost any arbitrary data can be embedded in the certificate and marked for criticality during verification. So for example, one of the extensions defined is AltNames. The Subject Distinguished Name is not too user friendly but suppose you use the AltName extension and mark it as CRITICAL then you have the capability of using alternate name forms such as email addresses.
This also needs a profile (i.e. a minimum set of extensions that have to be supported). A number of profiles have come into existence but none are in a committed form yet. SO, we had to wait until things settled, we are now ready to support X.509v3 and the IETF pkix and ANSI X9.57 profiles.
--> 3) What are the differences between v1 and v3? --> Found the following in the JDK1.1 documentation. If you --> have a URL to more info, I'd appreciate it.
The problem is that the X.509 specification is a CCITT spec. and as such not freely available. You should look at the IETF PKIX working group internet drafts. (ftp://ftp.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part1-03.txt).
--> --> 4) What is the roadmap for javakey?
We will be adding support for X.509v3 in jdk1.2. The profiles we will support are as mentioned above.