You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@ws.apache.org by Darrel Drake <EB...@jp.ibm.com> on 2000/10/27 10:43:54 UTC
SSL client authentication
I think this is a sort-of newbie question so I'm sorry in advance. But the
JDC bulletin board on JSSE is apparently unknown to the real world so I
need to ask this question here.
In all the examples of SSL client authentication that I've seen (all 2 of
them, thanks for #2 Mr. Wray), the KeyStore is passed to the
KeyManagerFactory, which then makes some KeyManagers and those are passed
to the SSLContext. This challenges my perception of how a KeyStore is
supposed to be used.
I was under the perception that each KeyStore has a group of entries, and
each of those entries is protected by an individual password. Then there's
a keystore admin who knows the password that protects the keystore file. So
in this case, more than one user-developer can have a keystore entry within
one KeyStore, and the KS manager can make some kind of slick API to give
each of them their key and cert chain whenever. I coded such an interface.
It now appears that user-developers own their own *keystore* object, which
means they each have to keep track of their store password and each
password for however many entries are in the store as well. Is this the way
the KeyStore is meant to be used? If so, does the KeyStore usually only
have one entry or more? And if it has more, how does the HttpsURLConnection
know which cert chain to pass to the host when client authentication is
requested? Does it send all entries indiscriminately? Can an order be
specified? I guess that's enough questions on this... for now.
Darrell Drake ドレイク・ダレル
IBM Japan, TRL 日本 アイ・ビー・エム
+81-46-215-4175 東京基礎研究所
EB92401@jp.ibm.com
Re: SSL client authentication
Posted by Stoyan Jordanoff <dr...@bsc.bg>.
excuse me who are you?
----- Original Message -----
From: "Darrel Drake" <EB...@jp.ibm.com>
To: <so...@xml.apache.org>
Sent: 27/10/2000 1:43 AM
Subject: SSL client authentication
>
> I think this is a sort-of newbie question so I'm sorry in advance. But the
> JDC bulletin board on JSSE is apparently unknown to the real world so I
> need to ask this question here.
>
> In all the examples of SSL client authentication that I've seen (all 2 of
> them, thanks for #2 Mr. Wray), the KeyStore is passed to the
> KeyManagerFactory, which then makes some KeyManagers and those are passed
> to the SSLContext. This challenges my perception of how a KeyStore is
> supposed to be used.
>
> I was under the perception that each KeyStore has a group of entries, and
> each of those entries is protected by an individual password. Then there's
> a keystore admin who knows the password that protects the keystore file.
So
> in this case, more than one user-developer can have a keystore entry
within
> one KeyStore, and the KS manager can make some kind of slick API to give
> each of them their key and cert chain whenever. I coded such an interface.
>
> It now appears that user-developers own their own *keystore* object, which
> means they each have to keep track of their store password and each
> password for however many entries are in the store as well. Is this the
way
> the KeyStore is meant to be used? If so, does the KeyStore usually only
> have one entry or more? And if it has more, how does the
HttpsURLConnection
> know which cert chain to pass to the host when client authentication is
> requested? Does it send all entries indiscriminately? Can an order be
> specified? I guess that's enough questions on this... for now.
>
> Darrell Drake ドレイク・ダレル
> IBM Japan, TRL 日本 アイ・ビー・エム
> +81-46-215-4175 東京基礎研究所
> EB92401@jp.ibm.com
>
>
Re: SSL client authentication
Posted by Stoyan Jordanoff <dr...@bsc.bg>.
excuse me who are you?
----- Original Message -----
From: "Darrel Drake" <EB...@jp.ibm.com>
To: <so...@xml.apache.org>
Sent: 27/10/2000 1:43 AM
Subject: SSL client authentication
>
> I think this is a sort-of newbie question so I'm sorry in advance. But the
> JDC bulletin board on JSSE is apparently unknown to the real world so I
> need to ask this question here.
>
> In all the examples of SSL client authentication that I've seen (all 2 of
> them, thanks for #2 Mr. Wray), the KeyStore is passed to the
> KeyManagerFactory, which then makes some KeyManagers and those are passed
> to the SSLContext. This challenges my perception of how a KeyStore is
> supposed to be used.
>
> I was under the perception that each KeyStore has a group of entries, and
> each of those entries is protected by an individual password. Then there's
> a keystore admin who knows the password that protects the keystore file.
So
> in this case, more than one user-developer can have a keystore entry
within
> one KeyStore, and the KS manager can make some kind of slick API to give
> each of them their key and cert chain whenever. I coded such an interface.
>
> It now appears that user-developers own their own *keystore* object, which
> means they each have to keep track of their store password and each
> password for however many entries are in the store as well. Is this the
way
> the KeyStore is meant to be used? If so, does the KeyStore usually only
> have one entry or more? And if it has more, how does the
HttpsURLConnection
> know which cert chain to pass to the host when client authentication is
> requested? Does it send all entries indiscriminately? Can an order be
> specified? I guess that's enough questions on this... for now.
>
> Darrell Drake ドレイク・ダレル
> IBM Japan, TRL 日本 アイ・ビー・エム
> +81-46-215-4175 東京基礎研究所
> EB92401@jp.ibm.com
>
>