PSE Access Service

http://weblogs.java.net/blog/bondolo/archive/2006/04/pse_access_serv.html

——————————————————————————————————————————————————————

PSE Access Service

Posted by bondolo on April 14, 2006 at 2:09 PM EDT

A couple of weeks ago I mentioned a new PSE based Access Service for JXTA. Well, a primordial version has now appeared as part of issue #1517. The current version is functional, but not deployable since it isn't actually secure.

The point of posting this early version is to attempt to better understand the required API and usage patterns. I encourage JXTA application developers to begin exploring using Access Service in their programs. I've been doing so myself with an experimental enhancement to the Resolver Service which makes use of the new PSE Access Service. I'll probably post the modified Resolver Service in a few days when I'm more comfortable with the changes.

It seems that integrating the PKIX validation (RFC 3280) may be a chore. Not that it's that hard, but it seems like there may be some work in getting all the various bits into the appropriate structures. For now the validation done by the PSE Access Service simply compares certificates chains via equals() to ensure that the provided credential was issued by a signer who had a parent in the "operation" certificate chain. This produces results which are naively the same as PKIX validation but it can be easily fooled by hand constructed certificate chains and it ignores matters such as certificate expiring and CRLs.