Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7192189

Support endpoint identification algorithm in RFC 6125

XMLWordPrintable

    • b13
    • generic
    • generic

      See http://mail.openjdk.java.net/pipermail/security-dev/2012-August/005371.html

      Hello,

      Looking at the Javadoc for X509ExtendedTrustManager, it seems that the
      algorithms supported by
      SSLParameters.setEndpointIdentificationAlgorithm(...) are "HTTPS" and
      "LDAPS". ... <deleted>...

      I'm not sure if there is much awareness for it, but there is an RFC
      that aims to harmonise the best practices for server name
      identification across protocols: RFC 6125, "Representation and
      Verification of Domain-Based Application Service Identity within
      Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in
      the Context of Transport Layer Security (TLS)". (In practice, it's
      actually quite close to the HTTPS rules from RFC 2818.)

      I'd just like to suggest that further versions of the JDK/JRE could
      support an "RFC6125" algorithm in addition to the existing ones, since
      it's meant to be independent of the application protocol (perhaps all
      this could be enabled by default too, to prevent cases where users
      don't verify the host name at all).

      Best wishes,
      Bruno.

        There are no Sub-Tasks for this issue.

            mullan Sean Mullan
            xuelei Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: