[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[equinox-dev] Re: Client side security store (Peter Kriens)

First, I'm glad to see some great discussions staring up around security and Eclipse in general.  As Jeff pointed out, much of the info that was started on the Equinox home has become a little out of date.


Java has long contained APIs/SPIs for a "KeyStore" which can contain X509 certificates as well.  As Jeff and BJ point out, some of the default implementations are pretty week and can be compromised fairly easily.  The IBM implementations in IBM JRE's are "more" secure, in that they use real encryption.  The core Keystore APIs/SPIs are very flexible for providing your own pluggable implementations and providers.

In addition Java 1.4. introduced the CertStore APIs/SPIs which also provide a more robust mechanism for searching and managing groups of "untrusted certificates and CRLs".   (see http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/CertStore.html).  I have more experience with the Keystore APIs/SPIs than the Certstore, so I won't say anymore about it, until I do.

I believe these APIs/SPIs can be built on to make Eclipse a more secure application platform.  I even like the idea of possibly having the "default" Eclipse providers, be just wrappers on top of the OS's store.

One of the biggest weaknesses of those APIs is the lack of what is probably the most desired piece, a "secure" repository for saving username/password combinations for accessing remote services and sites.  These aren't technically "keys" or certificates, but they do act as a user's credentials when accessing some remote services.

Lots of food for thought....
Jay R.
IBM Corp. , IBM Software Group
Workplace, Portal and Collaboration Software
Workplace Managed Client, Security

"Experience is something you don't get until just after you need it." -- Anon