[security-dev 00150]: Adding RFC-5054 to OpenJDK JSSE

David Taylor dajt1 at bigpond.com
Fri Apr 18 23:26:56 PDT 2008


RFC-5054 adds the ability to use SRP-6 secure username/password as the 
authentication mechanism to TLS.

This gives client authentication using a secure username/password 
scheme, and optionally server authentication either by the fact the 
server is in possesion of the necessary information to authenticate the 
client, or using traditional server certificates.

Using this type of authentication is good for protocols that require 
client authentication and are already username/password based. Obvious 
candidates are secure SMTP, IMAP, FTP, etc.

I believe web apps would also benefit greatly from this, except for the 
fact that browser SSL implementations and UIs would have to be changed 
to accept a username and password during the TLS handshake, which is 
probably not going to happen.

I'd like to look into adding RFC-5054 support to JSSE if everyone agrees 
it would be worth having. Has anyone else looked into it or have an 

David Taylor.

More information about the security-dev mailing list