directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: OpenJDK Security Group Q&A
Date Thu, 22 Sep 2016 15:55:02 GMT
Le 22/09/16 à 16:56, Steve Moyer a écrit :
> All,
>
> During the birds-of-a-feather session titled "OpenJDK Security Group: Discussion and
Q&A" on Tuesday night, there were relatively detailed discussions of what changes (plus
and minus) might be made in OpenJDK 9 and 10.  Once the module system (Jigsaw) is in place,
there are also plans to eliminate many of the restricted Sun classes and to hide others.
>
> Those of us who have been careful not to use these restricted classes, we've often recreated
the code (in some facsimile).  Part of the discussion also focused on which classes would
be useful to the community if they were made public.  Since there is Kerberos protocol code
in the Kerberos implementation of the LoginContext and LDAP protocol code underlying JNDI
connections to LDAP, these are potential candidates.
>
> The OpenJDK security group asked us to provide a list of what classes (or packages of
classes) might be useful to the community.  Here are some of the packages we discussed:
>
> - GSSAPI Enhancements with more public methods (this is planned)
> - SSLEngine (enhance and make more methods public)
> - ASN.1
> - BER
>
> So ... what other categories of classes would be useful?  The Apache Directory project
obviously maintains code that performs the same functions - wouldn't it be nice if the JDK
itself took over some of the low-level protocol code (especially where it already exists).
 If we collect a list in this email thread I'd be happy to pass it along.

FTR, ASN.1 classes would be a bit problematic, as it all depend on the
used encoding. BER, that is a different story.

We don't use JNDI (except in places where we need to convert JNDI to
LDAP API).

Kerberos is definitively something we use and would love to have
improved features in teh JDK.


And if they decided to rewrite SSLEngine, I would have only one thing to
say : Hourrah !

Mime
View raw message