From Online Reporter, a new sister publication
All bets are off as to when the Java Security API might ship. Rather than relying on a one-size fits
all security model, the proposed Java security API is based upon the idea of ‘pluggable’ security
packages. So, as better implementations or better algorithms come along, these can be written into a package that can be transparently ‘plugged in’ to the java.security class library. So since the API and the application are separate from the actual security package, they can be freely exported right? Wrong. Benjamin Renauld, Javasoft security expert said at JavaOne: when you make a call to this API it suddenly becomes ‘radioactive’. The way that the security packages are designed means that overseas crypto fiends can’t just write their own either. Each package must be authorized with a digital signature before being acceptable to the Java security software. Exactly who gets to do the signing and how the packages get authorized is still being debated with the US authorities says JavaSoft security specialist Marianne Mueller, adding that I don’t know how this will play in the worldwide market. Because of the legal restrictions, Renauld told the conference he couldn’t say when the work would actually ship: it’s very hard for us to have a technology driven schedule he said. Mueller says the scheme is similar to a signing system that Microsoft has already got agreed for its own CryptoAPI package. We were unable to confirm Microsoft’s arrangements as we went to press. Overall Javasoft is impressed with Microsoft’s crypto approach. Sun Microsystems science office director John Gage calls it well written and there is no doubt that Microsoft will be invited on board to discuss Java’s own security APIs.
