<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On 1 Nov 2012, at 23:55, Weijun Wang wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="auto"><div><br><br>在 Nov 1, 2012,10:49 PM,Bruce Rich <<a href="mailto:brich@us.ibm.com">brich@us.ibm.com</a>> 写道:<br><br></div><blockquote type="cite"><div><font size="2" face="sans-serif">Max,</font>
<br>
<br><font size="2" face="sans-serif">There is already substantial usage of
JCEKS to store secret keys. And that has been operational since Java
5. </font>
<br><font size="2" face="sans-serif">So I'm not sure what question you are
asking. One might have asked whether the multi-format keystore would
also accommodate JCEKS. </font>
<br></div></blockquote><div><br></div>Yes this is what I'm thinking about. If we are about to retire JKS, why not cover JCEKS as well?</div></blockquote><div><br></div><div>We have no plans to retire JKS (or JCEKS). We're just examining how best to transition the _default_ keystore</div><div>format from JKS to PKCS12, in JDK 8. </div><div><br></div><div>I don't see a need for the multi-format keystore to accommodate JCEKS since JCEKS is normally instantiated</div><div>by explicitly specifying its keystore type (and not by calling KeyStore.getDefaultType()).</div><div><br></div><br><blockquote type="cite"><div dir="auto"><div><br><blockquote type="cite"><div><font size="2" face="sans-serif">If that was your question, I think it
would increase the scope beyond what can be accomplished in the near term,
which is why the focus is on JKS, which is the format used by cacerts,
for example.</font>
<br></div></blockquote><div><br></div>I see.</div><div><br></div><div>Thanks</div><div>Max</div><div><br><blockquote type="cite"><div><font size="2" face="sans-serif"><br>
Bruce A Rich<br>
brich at-sign us dot ibm dot com<br>
</font>
<br>
<br>
<br>
<br><font size="1" color="#5f5f5f" face="sans-serif">From:
</font><font size="1" face="sans-serif">Weijun Wang <<a href="mailto:weijun.wang@oracle.com">weijun.wang@oracle.com</a>></font>
<br><font size="1" color="#5f5f5f" face="sans-serif">To:
</font><font size="1" face="sans-serif"><a href="mailto:security-dev@openjdk.java.net">security-dev@openjdk.java.net</a></font>
<br><font size="1" color="#5f5f5f" face="sans-serif">Date:
</font><font size="1" face="sans-serif">10/31/2012 09:27 PM</font>
<br><font size="1" color="#5f5f5f" face="sans-serif">Subject:
</font><font size="1" face="sans-serif">Re: Transitioning
the default keystore format to PKCS#12</font>
<br><font size="1" color="#5f5f5f" face="sans-serif">Sent by:
</font><font size="1" face="sans-serif"><a href="mailto:security-dev-bounces@openjdk.java.net">security-dev-bounces@openjdk.java.net</a></font>
<br>
<hr noshade="">
<br>
<br>
<br><tt><font size="2">A little off topic:<br>
<br>
Do we still care about the JCEKS storetype? Maybe no one stores secret
<br>
keys in a keystore?<br>
<br>
Thanks<br>
Max<br>
<br>
<br>
On 11/01/2012 12:55 AM, Vincent Ryan wrote:<br>
><br>
> Before considering migrating the platform default keystore format
to PKCS12 its keystore implementation<br>
> must at least match the functionality of JKS.<br>
><br>
> I have developed a prototype of a multi-format keystore that understands
both JKS and PKCS12<br>
> formats - it checks for the JKS magic number to determine the format.
By supporting both formats,<br>
> existing applications that access keystores using the platform default
keystore format, continue to<br>
> function as expected.<br>
><br>
> In addition, storing trusted certs in PKCS12 is now supported. I've
selected the X.509<br>
> extendedKeyUsage attribute to explicitly denote that a certificate
is trusted - its default value is<br>
> trusted-for-any-purpose. This well-known attribute is stored with
the certificate in a PKCS12<br>
> certBag.<br>
><br>
> Webrev:<br>
> </font></tt><a href="http://cr.openjdk.java.net/~vinnie/jdk8-multi/webrev/"><tt><font size="2">http://cr.openjdk.java.net/~vinnie/jdk8-multi/webrev/</font></tt></a><tt><font size="2"><br>
><br>
> Please send me any comments.<br>
> Thanks.<br>
><br>
<br>
</font></tt>
<br></div></blockquote></div></div></blockquote></div><br></body></html>