[security-dev 00170]: Re: Adding RFC-5054 to OpenJDK JSSE
Andrew Fan
Andrew.Fan at Sun.COM
Sat May 17 02:45:40 UTC 2008
Hi David,
Thanks for your proposal on support RFC-5054 on JSSE. However, the SRP
is patented, the potential IP issues will prevent us from adding the
module into JSSE. And, the RFC-5054 is only a informational RFC and in
practice it is lack of deployment of SRP/TLS, my team think it is a low
priority based on other enhancements we'd like to see in security.
Thanks & Regards,
Andrew
David Taylor wrote:
> Hi,
>
> RFC-5054 adds the ability to use SRP-6 secure username/password as the
> authentication mechanism to TLS.
>
> This gives client authentication using a secure username/password
> scheme, and optionally server authentication either by the fact the
> server is in possesion of the necessary information to authenticate
> the client, or using traditional server certificates.
>
> Using this type of authentication is good for protocols that require
> client authentication and are already username/password based. Obvious
> candidates are secure SMTP, IMAP, FTP, etc.
>
> I believe web apps would also benefit greatly from this, except for
> the fact that browser SSL implementations and UIs would have to be
> changed to accept a username and password during the TLS handshake,
> which is probably not going to happen.
>
> I'd like to look into adding RFC-5054 support to JSSE if everyone
> agrees it would be worth having. Has anyone else looked into it or
> have an opinion?
>
> Regards,
> David Taylor.
>
More information about the security-dev
mailing list