Details
-
Enhancement
-
Resolution: Fixed
-
P3
-
None
-
b13
-
generic
-
generic
Description
See http://mail.openjdk.java.net/pipermail/security-dev/2012-August/005371.html
Hello,
Looking at the Javadoc for X509ExtendedTrustManager, it seems that the
algorithms supported by
SSLParameters.setEndpointIdentificationAlgorithm(...) are "HTTPS" and
"LDAPS". ... <deleted>...
I'm not sure if there is much awareness for it, but there is an RFC
that aims to harmonise the best practices for server name
identification across protocols: RFC 6125, "Representation and
Verification of Domain-Based Application Service Identity within
Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in
the Context of Transport Layer Security (TLS)". (In practice, it's
actually quite close to the HTTPS rules from RFC 2818.)
I'd just like to suggest that further versions of the JDK/JRE could
support an "RFC6125" algorithm in addition to the existing ones, since
it's meant to be independent of the application protocol (perhaps all
this could be enabled by default too, to prevent cases where users
don't verify the host name at all).
Best wishes,
Bruno.
Hello,
Looking at the Javadoc for X509ExtendedTrustManager, it seems that the
algorithms supported by
SSLParameters.setEndpointIdentificationAlgorithm(...) are "HTTPS" and
"LDAPS". ... <deleted>...
I'm not sure if there is much awareness for it, but there is an RFC
that aims to harmonise the best practices for server name
identification across protocols: RFC 6125, "Representation and
Verification of Domain-Based Application Service Identity within
Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in
the Context of Transport Layer Security (TLS)". (In practice, it's
actually quite close to the HTTPS rules from RFC 2818.)
I'd just like to suggest that further versions of the JDK/JRE could
support an "RFC6125" algorithm in addition to the existing ones, since
it's meant to be independent of the application protocol (perhaps all
this could be enabled by default too, to prevent cases where users
don't verify the host name at all).
Best wishes,
Bruno.
Attachments
Issue Links
- csr for
-
JDK-8282630 Support endpoint identification algorithm in RFC 6125
-
- Closed
-
- relates to
-
JDK-8282843 sun/security/util/Pem/encoding.sh fails after JDK-7192189
-
- Closed
-
-
-
- Resolved
-
-
-
- Closed
-
(1 links to)