ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dittmann, Werner" <>
Subject AW: JuiCE - some ideas and a proposed draft "roadmap"
Date Wed, 09 Nov 2005 07:18:45 GMT

thanks for the info and the background on JuiCE. Do you
(or somebody else on the list) know about the threading
issues you mentioned? What was the problem here?

I've looked into openSSL code and as far as I could see
there should be no threading issue. There may be a threading
issue if you use the same Digest/Crypto context data in
several threads - this I don't do because I allocate
the contexts on a per crypto/digest/signature instance.

Using an openSSL binding to a JCE provider as I did
it as an experiment for BC showed that we could speed up
Signature processing (RSA/SHA-1) as well as encrypted
key processing (RSA-OAEP) by a factor of 3-4, symmetrical
encryption/decryption is about twice as fast.

In addition to Raul's work (I also did some performace tests
before and after his modifications - was a tremendous boost)
this gives a reasonable performace for security enhanced 
WebService server applications.


> -----Urspr√ľngliche Nachricht-----
> Von: Scott Cantor [] 
> Gesendet: Mittwoch, 9. November 2005 01:00
> An:;
> Betreff: RE: JuiCE - some ideas and a proposed draft "roadmap"
> > Well, JuiCE seems to be dormant since about 1 1/2 year. The
> > homepage still says the mailing lists need to be created - thus
> > I'm sending this info to WSS4J and security-dev to get some
> > info and feedback to the proposals/ideas listed below.
> The JuiCE idea came from some early work that was done by 
> some developers on
> the Shibboleth (and OpenSAML) projects because early versions 
> of xmlsec were
> extremely slow. At the time, something like JuiCE seemed like 
> a worthwhile
> project and some people involved with WSS4J asked if we'd donate the
> project, so we did.
> Shortly after that, Raul (bless him) got involved with the 
> xmlsec code and
> did a serious number on it that basically tripled the 
> performance overnight.
> Needless to say, the impetus for JuiCE lost its, umm, juice.
> There's certainly no objection on our part to somebody reviving it if
> there's interest and effort there.
> I think one small issue left for JuiCE was to make it 
> properly thread safe.
> > There is one missing link: to use JuiCE we need a certificate signed
> > by Sun (Sun acting as a certificate authority in this case). There
> > is (somewhere in the latest doc about JCE provider)
> > a description how to get such a certificate - I can check it
> > and provide the necessary info. This certificate must be used to
> > sign the JuiCE jar
> I think that's only required for certain things, but I don't 
> really remember
> anymore. I know it was tested a bit by us without doing that.
> > Btw: I havn't checked it - but who has write access to the JuiCE
> > SVN repos? Or can grant write access to it?
> I don't know if it's SVN, actually. I know of some of the 
> Shib folks that
> had write access, they can chime in, but I think we'd be 
> happy to see others
> take the lead on it.
> -- Scott

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message