> -----Original Message-----
> From: Bernt.Johnsen@Sun.COM [mailto:Bernt.Johnsen@Sun.COM]
> Sent: Saturday, June 16, 2007 3:19 AM
> To: Derby Discussion; msegel@segel.com
> Subject: Re: User/password encryption and deployment
> 
> >>>>>>>>>>>> Michael Segel wrote (2007-06-16 00:23:56):
> > Which is why I'm a little suspect that the *only* way to do encryption
> on
> > the wire is to be forced to bring in IBM's JCE.
> 
> You don't need the IBM JCE. Sun's JDK comes with and JCE which works
> just fine. The docs tries to tell you that if you use an old IBM
> environment, you need to install IBMS JCE searately.
> 
Ok, then the documentation needs to be updated. As written it is a *tad*
confusing.

> There is, however small issue, if you choose
> ENCRYPTED_USER_AND_PASSWORD_SECURITY, newer Sun JCE's (from 1.4, I
> think) does not support the shared DHS value defined in the DRDA
> protocol. It's too weak. As an alternative solution for passsword
> protection, Francois implemented STRONG_PASSWORD_SUBSTITUTE_SECURITY.

Define "too weak".

If you're talking about an encrypted database, then yes. If you're talking
about transport layer security, then maybe not.

Being a paranoid DBA, I'm all for strong security like some of the newer
features introduced IBM's IDS 11 (That's the old Informix database).
However, I'm also practical.
When applying security, you need to take a look at the entire system, use
case and potential threats.

It is interesting is that you have Sun's view of the world and IBM's. IBM is
"pushing" their DRDA in to all of their products and are writing their front
end tools/adaptors to this specification, such that RoR, Java, Python and I
think Perl will be able to use a common adaptor to touch all of their
databases. (Read DB2[i,z,luw], and IDS) Not sure how Cloudscape/Derby fits
in with their strategy since they're dropping support in 2008.

Is Sun and/or the community going to support DRDA for Derby/JavaDB?