Overview
Proposal for an OpenSSL based JCE implementation, A XML Subproject (via Incubator and within xml-security)
3 March 2004, Berin Lautenbach (berin@wingsofhermes.org)
= (0) rationale =
As an input to the Shibboleth project (http://shibboleth.internet2.edu/) a number of contributors have created a skeleton JCE implementation based on OpenSSL. Initial results indicate that a native implementation of cryptographic algorithms may be significantly faster than Java based implementations, leading to potential performance improvements in Java applications that make use of cryptography.
The initial implementation can be found in the Shibboleth CVS (http://cvs.internet2.edu/cgi-bin/viewcvs.cgi/NativeJCE/).
It has been proposed that the skeleton NativeJCE project be brought into the ASF. This would fit well with the xml-security project, where the current C++ xml-security implementation already uses OpenSSL cryptographic base. By providing an OpenSSL based JCE, the xml-security project will be potentially able to speed up the Java based xml-security library for those who need higher speed encryption.
Note that while this is being proposed by the xml-security team, this would be a separate implementation. It is a key requirement of the xml-security Java library that it be able to work with any compliant JCE. This would simply provide users with an option for a native JCE.
Given the separation from the xml-security code, the Native JCE would be useable as a separate entity.
== (0.1) criteria ==
Community: A small number of developers within the Shibboleth project have been working to create the initial skeleton. They are interested in continuing the development effort within Apache, and would be augmented by the developers within the xml-security team.
Core Developers: Primary author is Walter Hoehn <wassa@memphis.edu>
Alignment: As a stand alone module, does not rely on any ASF software. However the original team make heavy use of ASF software now, and the intent was to use the JCE as a performance improvement for xml-security.
Scope: The new sub-project would provide an implementation of the JCE based on the OpenSSL cryptographic toolkit.
(0.2) warning signs
Orphaned Products: The current developers will remain active and with the project as it moves into the ASF.
Inexperience: The xml-security team (plus others from within the ASF who are interested) will also become part of the sub-project.
Homogeneous Developers: The current developers are already working in the Open Source arena, and the code was released under the Shibboleth license (a BSD style license). They will be augmented by the xml-security developers.
Reliance on Salaried Developers:
No ties to other Apache Products: The tie is a reverse one - the skeletal library was designed as a way to speed the OpenSAML library up. The OpenSAML library currently uses the ASF XML-Security library as the underlying support for XML Signatures.
(1) scope of the subproject
As stated above, the subproject will look at implementing the JCE around the OpenSSL cryptographic toolkit.
(1.1) Signing Certificate
Note that the ASF will need to obtain a Code Signing Certificate from Sun Microsystems to enable the library to work. Some research has been done on this. A fairly simple process needs to be followed to request the certificate from Sun. Sun will provide this certificate, subject to The ASF signing a form indicating that the Foundation understands the US export control requirements and agrees to abide by them. This process will be started as soon as the project is approved for Incubation.
An agreed process for caring for the private key associated with the Code Signing Certificate will need to be formulated prior to the request to Sun being made.
More information on the process to obtain a certificate can be found at :
http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/HowToImplAJCEProvider.html (Step 5A)
(2) identify the initial source from which the subproject is to be populated
http://cvs.internet2.edu/cgi-bin/viewcvs.cgi/NativeJCE/
(3) identify the ASF resources to be created
== (3.1) mailing list(s) ==
???-dev
(3.2) CVS repositories
xml-??? (proposed)
(3.3) Bugzilla
(4) identify the initial set of committers
{{{ Walter Hoehn <wassa@memphis.edu>
Noah Levitt <nlevitt@columbia.edu> Karel Wouters <Karel.Wouters@esat.kuleuven.ac.be> Axl Mattheus <Axl.Mattheus@Sun.COM> Erwin van der Koogh <vdkoogh@apache.org> Berin Lautenbach <berin@wingsofhermes.org> Davanum Srinivas (dims@yahoo.com)
- Plus potentially :
Scott Cantor <cantor.2@osu.edu> }}}
(5) identify apache sponsoring individual
Berin Lautenbach <berin@wingsofhermes.org>