Transitioning the default keystore format to PKCS#12
Vincent Ryan
vincent.x.ryan at oracle.com
Tue Oct 9 15:51:55 UTC 2012
We have a long-standing requirement to improve, or migrate from, the default JKS
keystore format.
JEP-166[1] plans to address this requirement by delivering the functionality
necessary to transition to using PKCS#12 as the default keystore format.
I'd like to solicit comments from the community on this issue.
Both the old and new keystore formats must be supported in a compatible way
for existing applications. As a first step I intend to modify the JKS and PKCS12
implementation classes to support both formats (by switching on the JKS magic
number).
Further steps will include enhancing the PKCS12 implementation to add support
for storing secret keys (and passwords) and trusted certificates. In addition, the new
PBE algorithms delivered by JEP-121[2,3] can also be employed for improved
security.
Although we are already at Milestone 5 I would like to examine two further areas
as part of this JEP: permission-based access controls and virtual keystore views.
Comments are welcome.
Thanks.
____
[1] http://openjdk.java.net/jeps/166
[2] http://openjdk.java.net/jeps/121
[3] http://cr.openjdk.java.net/~vinnie/6383200/webrev.04/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20121009/29004a77/attachment.htm>
More information about the security-dev
mailing list