Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7192189

Support new endpoint identification algorithm in RFC 6125

    Details

    • Type: Enhancement
    • Status: Open
    • Priority: P3
    • Resolution: Unresolved
    • Affects Version/s: 8
    • Fix Version/s: 15
    • Component/s: security-libs
    • Labels:

      Description

      See http://mail.openjdk.java.net/pipermail/security-dev/2012-August/005371.html

      Hello,

      Looking at the Javadoc for X509ExtendedTrustManager, it seems that the
      algorithms supported by
      SSLParameters.setEndpointIdentificationAlgorithm(...) are "HTTPS" and
      "LDAPS". ... <deleted>...

      I'm not sure if there is much awareness for it, but there is an RFC
      that aims to harmonise the best practices for server name
      identification across protocols: RFC 6125, "Representation and
      Verification of Domain-Based Application Service Identity within
      Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in
      the Context of Transport Layer Security (TLS)". (In practice, it's
      actually quite close to the HTTPS rules from RFC 2818.)

      I'd just like to suggest that further versions of the JDK/JRE could
      support an "RFC6125" algorithm in addition to the existing ones, since
      it's meant to be independent of the application protocol (perhaps all
      this could be enabled by default too, to prevent cases where users
      don't verify the host name at all).

      Best wishes,
      Bruno.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mullan Sean Mullan
                Reporter:
                xuelei Xue-Lei Fan
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Imported:
                  Indexed: