<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Hi Weijun</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Did my answers address your concerns?  Also do you have an opinion on Bernd's suggestion?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Thanks in advance</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Mat</div>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<p>Sent from <a href="http://aka.ms/weboutlook">Outlook</a><br>
</p>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> security-dev <security-dev-retn@openjdk.java.net> on behalf of Bernd Eckenfels <ecki@zusammenkunft.net><br>
<b>Sent:</b> Tuesday, April 5, 2022 11:20 AM<br>
<b>To:</b> security-dev@openjdk.java.net <security-dev@openjdk.java.net><br>
<b>Subject:</b> Re: Proposal: Extend Windows KeyStore support to include access to the local machine location</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div></div>
<div style="">
<div dir="ltr">BTW, since this is Windows specific anyway and since we have also a combining virtual Keystore, why not allow a new naming scheme which allows to access any of the Keystores? like “Windows-ROOT/ADdressbook”?</div>
<div id="x_ms-outlook-mobile-signature">
<div><br>
</div>
<div dir="ltr">Gruss</div>
<div dir="ltr">Bernd</div>
<div><br>
</div>
<div style="direction:ltr">-- </div>
<div style="direction:ltr">http://bernd.eckenfels.net</div>
</div>
<div id="x_mail-editor-reference-message-container" class="x_ms-outlook-mobile-reference-message">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif"><b>Von:</b> security-dev <security-dev-retn@openjdk.java.net> im Auftrag von Mat Carter <Matthew.Carter@microsoft.com><br>
<b>Gesendet:</b> Dienstag, April 5, 2022 5:22 PM<br>
<b>An:</b> Wei-Jun Wang <weijun.wang@oracle.com><br>
<b>Cc:</b> security-dev@openjdk.java.net <security-dev@openjdk.java.net><br>
<b>Betreff:</b> Re: Proposal: Extend Windows KeyStore support to include access to the local machine location
<div> </div>
</font></div>
<meta content="Microsoft Exchange Server">
<font size="2"><span style="font-size:11pt">
<div class="x_PlainText">Hi Weijun<br>
<br>
Thank you for the feedback, I'd like to address point 2 first as I think this might also address point 1<br>
<br>
>> 2. PrivateKeyEntry is (IMO) mainly used for client auth in TLS. We don't want new entries suddenly appear <br>
>> there and automatically chosen by a key manager.<br>
>><br>
>> It looks OK to enhance Windows-ROOT to cover more root CA certs in your organization but including <br>
>> new entries in Windows-MY is a little dangerous. It's OK to introduce a new store type for MY in LOCAL_MACHINE.<br>
<br>
I deliberately kept implementation details out of the initial email to focus on the security aspects, but this point makes an assumption that the results of using "Windows-MY" or "Windows-ROOT" would change with this new functionality; this is not what we're
 proposing.  Specifically we're proposing adding two new strings "Windows-MY-LOCALMACHINE" and
<br>
"Windows-ROOT-LOCALMACHINE" such that developers can now access the key stores in the local machine. To be clear, the implementation would make no attempt to "merge" results when enumerating or to search both locations via a single key store instance; i.e.
 you can only create and instance for accessing either keystore but not both.<br>
<br>
I think this addresses point 1 also, but if not then I have a follow on question:<br>
<br>
>> 1. In Java's KeyStore a certificate entry is called TrustedCertificateEntry. The name implies that the certificate is
<br>
>> trusted for any purpose. We don't want some certificates that were not meant to be trusted shown up.<br>
<br>
Our initial analysis leads us to believe that we'll not need to introduce new code paths to handle new certificates; i.e. the only code changes are how the key store is opened, subsequent calls to access certificates is handled by the existing code.<br>
<br>
Given the above assumption, your concerns laid out in point 1 and if your concern is not mitigated with our notes for point 2: is it the case that you expect new "types" of certificates to be accessible via local machine that weren't via current user and that
 some/all of these certs are "bad" (and would need new code paths to handle them)?<br>
<br>
While we are talking about implementation, there's another aspect we'd like to introduce/discuss: this is to allow developers to access the key stores with read only permissions, thus allowing enumeration and reading without requiring administrative permissions
 be granted to the application (thus increasing security)<br>
<br>
Thanks in advance<br>
Mat<br>
<br>
Sent from Outlook<br>
<br>
<br>
From: Wei-Jun Wang <weijun.wang@oracle.com><br>
Sent: Friday, April 1, 2022 3:15 PM<br>
To: Mat Carter <Matthew.Carter@microsoft.com><br>
Cc: security-dev@openjdk.java.net <security-dev@openjdk.java.net><br>
Subject: Re: Proposal: Extend Windows KeyStore support to include access to the local machine location
<br>
 <br>
Hi Mat,<br>
<br>
We have 2 main concerns:<br>
<br>
1. In Java's KeyStore a certificate entry is called TrustedCertificateEntry. The name implies that the certificate is trusted for any purpose. We don't want some certificates that were not meant to be trusted shown up.<br>
<br>
2. PrivateKeyEntry is (IMO) mainly used for client auth in TLS. We don't want new entries suddenly appear there and automatically chosen by a key manager.<br>
<br>
It looks OK to enhance Windows-ROOT to cover more root CA certs in your organization but including new entries in Windows-MY is a little dangerous. It's OK to introduce a new store type for MY in LOCAL_MACHINE.<br>
<br>
And we have no plan to add other types like ADDRESSBOOK.<br>
<br>
Thanks,<br>
Weijun<br>
<br>
> On Mar 31, 2022, at 5:16 PM, Mat Carter <Matthew.Carter@microsoft.com> wrote:<br>
> <br>
> Current support for KeyStores on Windows is limited to the current user location [1]<br>
> <br>
> There has been previous request for local machine support [2] along with discussion in the security-dev mailing list [3], further discussions have occurred on stackoverflow in the past [4] and [5]<br>
> <br>
> Using JNI you can access local machine locations but then you are duplicating much of the existing native functionality; this also adds the requirement that developers need to know C/C++ and the Windows cryptography API.<br>
> <br>
> Given the above I propose that we add native support for local machine KeyStore locations<br>
> <br>
> Users can currently access two physical key stores (in the current user location):<br>
> <br>
> "Windows-MY": .Default<br>
> "Windows-ROOT": .Default.LocalMachine, .SmartCard<br>
> <br>
> Adding the local machine location opens up access to a further two physical key stores …<br>
> <br>
> "Windows-MY": .Default<br>
> "Windows-ROOT": .Default.AuthRoot, .GroupPolicy, .Enterprise, .SmartCard<br>
> <br>
> Please let me know if there are any existing efforts to bring this functionality to Java, or references to prior decisions on this subject<br>
> <br>
> Thanks in advance<br>
> Mat Carter<br>
> <br>
> [1] <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fseccrypto%2Fsystem-store-locations&data=05%7C01%7Cmatthew.carter%40microsoft.com%7C918e6f7e3ea74d8f62c008da17311342%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637847796821149766%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EyGsqIfkbJi9D%2Fez%2Fpei7l9A9en%2BcTmcSB64IX1mhJc%3D&reserved=0" originalsrc="https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations" shash="jSol0jI+jft/lfvJ8lcCAg51h+kbJJjVYt8aGni+mgicbzspPtiSVy+HwC95E8Hp1viEb2ws6vIcPAj1B12TG0Mz+PJ0taz7UX0tKaa4od4GU/m/aLGTJoQivGwEtzv/YqanStwS7dYlqkghZQLauuwrqkYkNezL884EZIXRzNo=">
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fseccrypto%2Fsystem-store-locations&data=05%7C01%7CMatthew.Carter%40microsoft.com%7Ce1886df700e44a0d94e108da142d2bf7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637844481503028351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hWj0cEVRachk47aqIKJYIwiaqTcACjWGn38AzmutX9I%3D&reserved=0</a><br>
> [2] <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fbrowse%2FJDK-6782021&data=05%7C01%7Cmatthew.carter%40microsoft.com%7C918e6f7e3ea74d8f62c008da17311342%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637847796821149766%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XbBTrPCrQgC3Cd2nNC9%2BbpC2xNsjCo8aqrSoZoyJIU4%3D&reserved=0" originalsrc="https://bugs.openjdk.java.net/browse/JDK-6782021" shash="hqcYLgiMdbE1vxfp07QRbrhQcRW78Lviftcnq2R1SHR1c9Wvxk7k6ERvaILIVcscXFzjbw7n8rvFPrMbLV1xixZK7uT2C3O/8tjo5xMlKtrNPKrdTQpDUFET39KqM72Iw/1dJ7rzdpa3+iZG/RWGsQGoz3A2MBlW+9C9tU9b9lU=">
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fbrowse%2FJDK-6782021&data=05%7C01%7CMatthew.Carter%40microsoft.com%7Ce1886df700e44a0d94e108da142d2bf7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637844481503028351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TdXrBjrjqPniADcJiFnwQfi5uaCnI9BzgCPPJe%2FAhGA%3D&reserved=0</a><br>
> [3] <a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.openjdk.java.net%2Fpipermail%2Fsecurity-dev%2F2018-August%2F017832.html&data=05%7C01%7Cmatthew.carter%40microsoft.com%7C918e6f7e3ea74d8f62c008da17311342%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637847796821149766%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1SaBtCFgQZgsdJfTK3YWzBV81SOpgmUoJ0fcFxp4nF8%3D&reserved=0" originalsrc="http://mail.openjdk.java.net/pipermail/security-dev/2018-August/017832.html" shash="cdy4amuldOat+hGoXMKc1g4cxBJjsxiQq3v8sd2EoKsIg4Fl03CgZtLr5jEtNoox+0TcB8JWlG4Z7bIC6seNNf+rjQwdoHhZEppExZXg+oZnusdE7IsEwfwOyZ9K8tB44qcxrHmIWAOs2kcdL0bVhKYy9xzZfN1dPozq1NM1VRc=">
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.openjdk.java.net%2Fpipermail%2Fsecurity-dev%2F2018-August%2F017832.html&data=05%7C01%7CMatthew.Carter%40microsoft.com%7Ce1886df700e44a0d94e108da142d2bf7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637844481503028351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=O4hI%2BTje%2FjtJTWosTLSNzVlQUW8s%2BoeoWMA27EaAHUc%3D&reserved=0</a><br>
> [4] <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F70200603%2Faccessing-windows-local-machine-certificates-from-a-windows-service-written-in-j&data=05%7C01%7Cmatthew.carter%40microsoft.com%7C918e6f7e3ea74d8f62c008da17311342%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637847796821149766%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vlGnHgvpteYb0ySKau7dxcJ1ZP7K9TKy23X5VyVsHwk%3D&reserved=0" originalsrc="https://stackoverflow.com/questions/70200603/accessing-windows-local-machine-certificates-from-a-windows-service-written-in-j" shash="wWBIM+aoKg3iwTK1aQh40s90gK83UOMnPbYQxi+awKJ0BtYPHT6775xnp41L2DplhqiSb27JUH91a0abeqUM5WCOVTzPFgcDjUH5pgvdDzKWJ8IVX+Xhcx7+dsNmIjouoynClZV05CvzYS/4QUARihv6besHSTyUzGZmopL43Ac=">
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F70200603%2Faccessing-windows-local-machine-certificates-from-a-windows-service-written-in-j&data=05%7C01%7CMatthew.Carter%40microsoft.com%7Ce1886df700e44a0d94e108da142d2bf7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637844481503028351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FNqqbV%2BIircmaoas%2F%2BUX%2F%2BQpWVq9fpoV%2F4lCNB77ZzE%3D&reserved=0</a><br>
> [5] <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F3612962%2Faccess-local-machine-certificate-store-in-java&data=05%7C01%7Cmatthew.carter%40microsoft.com%7C918e6f7e3ea74d8f62c008da17311342%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637847796821199763%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yOubfscrR%2F3oaCTHa3JR2vX6Rmk6%2FYk7B%2F%2FMMj9boNc%3D&reserved=0" originalsrc="https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java" shash="x0v9YTXHGPY6bum/4JMaiwAEwVl/HqyHhqynDcNdrIp3YsoCzsDkemdBXI2FwdHduJujB6exZ95R0oDnElQekQ5WvfC9FGkw14z08u69UvS62yR/f8gkIStqo6MKd6b0nouHd3IdbE4KhGQBnY2ZfxlkEvvjdUxEU40EWRzSTxk=">
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F3612962%2Faccess-local-machine-certificate-store-in-java&data=05%7C01%7CMatthew.Carter%40microsoft.com%7Ce1886df700e44a0d94e108da142d2bf7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637844481503028351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JiEifjvBN%2B8ahoft9xdJhLwy1DEjkAWLHIVB1Oojnsk%3D&reserved=0</a><br>
> <br>
> <br>
> Sent from Outlook<br>
</div>
</span></font></div>
</div>
</div>
</div>
</body>
</html>