[security-dev 00170]: Re: Adding RFC-5054 to OpenJDK JSSE

Andrew Fan Andrew.Fan at Sun.COM
Fri May 16 19:45:40 PDT 2008

Hi David,

Thanks for your proposal on support RFC-5054 on JSSE. However, the SRP 
is patented, the potential IP issues will prevent us from adding the 
module into JSSE. And, the RFC-5054 is only a informational RFC and in 
practice it is lack of deployment of SRP/TLS, my team think it is a low 
priority based on other enhancements we'd like to see in security.

Thanks & Regards,

David Taylor wrote:
> Hi,
> RFC-5054 adds the ability to use SRP-6 secure username/password as the 
> authentication mechanism to TLS.
> This gives client authentication using a secure username/password 
> scheme, and optionally server authentication either by the fact the 
> server is in possesion of the necessary information to authenticate 
> the client, or using traditional server certificates.
> Using this type of authentication is good for protocols that require 
> client authentication and are already username/password based. Obvious 
> candidates are secure SMTP, IMAP, FTP, etc.
> I believe web apps would also benefit greatly from this, except for 
> the fact that browser SSL implementations and UIs would have to be 
> changed to accept a username and password during the TLS handshake, 
> which is probably not going to happen.
> I'd like to look into adding RFC-5054 support to JSSE if everyone 
> agrees it would be worth having. Has anyone else looked into it or 
> have an opinion?
> Regards,
> David Taylor.

More information about the security-dev mailing list