[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Re: Client side security store (Peter Kriens)

I am not that worried about the strength of the security :-) Usually
systems are compromised with user engineering. So my objection to the
Keystore API was not on implementation weakness. I do not like the
API and architecture. It was cumbersome to do simple things ...

Kind regards,

     Peter Kriens

jnic> First, I'm glad to see some great discussions staring up
jnic> around security and Eclipse in general.  As Jeff pointed out,
jnic> much of the info that was started on the Equinox home has become
jnic> a little out of date.

jnic> Peter,

jnic> Java has long contained APIs/SPIs for a "KeyStore" which
jnic> can contain X509 certificates as well.  As Jeff and BJ point
jnic> out, some of the default implementations are pretty week and can
jnic> be compromised fairly easily.  The IBM implementations in IBM
jnic> JRE's are "more" secure, in that they use real encryption.  The
jnic> core Keystore APIs/SPIs are very flexible for providing your own
jnic> pluggable implementations and providers.

jnic> In addition Java 1.4. introduced the CertStore APIs/SPIs
jnic> which also provide a more robust mechanism for searching and
jnic> managing groups of "untrusted certificates and CRLs".   (see
jnic> http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/CertStore.html).
jnic>  I have more experience with the Keystore APIs/SPIs than the
jnic> Certstore, so I won't say anymore about it, until I do.

jnic> I believe these APIs/SPIs can be built on to make Eclipse
jnic> a more secure application platform.  I even like the idea of
jnic> possibly having the "default" Eclipse providers, be just
jnic> wrappers on top of the OS's store.

jnic> One of the biggest weaknesses of those APIs is the lack
jnic> of what is probably the most desired piece, a "secure"
jnic> repository for saving username/password combinations for
jnic> accessing remote services and sites.  These aren't technically
jnic> "keys" or certificates, but they do act as a user's credentials
jnic> when accessing some remote services.

jnic> Lots of food for thought....
jnic> Jay R. 
jnic>  IBM Corp. , IBM Software Group
jnic>  Workplace, Portal and Collaboration Software 
jnic>  Workplace Managed Client, Security 
jnic> jsr@xxxxxxxxxx"Experience is something you don't get
jnic> until just after you need it." -- Anon 

Peter Kriens                              Mob +33633746480
9C, Avenue St. Drézéry                    Tel +33467542167
34160 Beaulieu, France                    Tel +15123514821
                                          Tel +33870447986
AOL,Yahoo, Skype pkriens                  ICQ 255570717