Date: Tue, 23 Jun 1998 17:50:39 -0700
From: David.Brownell@Eng (David Brownell)
Message-Id: <199806240050.RAA25578@argon.eng.sun.com>
To: kaplan@watson.ibm.com
Subject: Re: User authentication in Java Security Realm of Certificates?
Hi Marc,
(Your mail just got bounced to someplace I saw it ... I don't know
what broke on the java-server-feedback alias.)
The documentation on the realm package seems to be missing, and in
particular that for the Certificate Realm.
Briefly, a CertificateUser has a "certificate" attribute which contains
the public key certificate. There are many different ways in which
such keys are used to perform authentication, and the type of key in
the certificate (and its X.509 key usage constraints) will affect which
way(s) a given certificate can be used to authenticate the associated
private key holder.
Then there are the CA interactions -- authentication when using
certificates is more complex than when using uncertified keys, since
one of several certificate path validation schemes needs to be used!
For example, it must fail if the CA isn't trusted. Certificates can
also expire, and be revoked (or perhaps suspended).
The CertificateUser object is agnostic with respect to which of the
potential authentication schemes is used, and which particular cert path
validation is used. The only thing that we _know_ must be common is
that they all involve a certificate. This lets us work with both SSL
authentication and signature (PKCS #7 in our case) based schemes.
Re "Recommended" authentication protocol for certificates ... the
simplest is to sign something and verify the signature. But the
"something" that's signed is a function of the particular protocol, and
authentication needs to address the path validation too. (Also, I'm
assuming the certificate doesn't hold a Diffie-Hellman key!)
- Dave
> To: java-server-feedback@java.sun.com
> Subject: User authentication in Java Security Realm of Certificates?
> Reply-To: kaplan@watson.ibm.com
> Date: Wed, 17 Jun 1998 13:07:53 -0400
> From: "Marc A. Kaplan" <kaplan@bog>
>
>
> What is the recommended authentication protocol for a Java Security Realm?
>
> Looking at class com.sun.server.realm.certificate.CertificateUser
>
> I see it implements the "User" interface, but unlike class OtpUser
> it does NOT implement "ChallengeResponseAuth", nor any other interfaces
> that deal with Authentication.
>
> marc a. kaplan
>
>
>