JamesH wrote:
I have some confusion with regard to JSS due to the lack of proper
documentation. Looks like JDK 6 can talk to NSS natively with this
configuration:
http://java.sun.com/developer/technicalArticles/J2SE/security/#2
If that's the case, why do I need JSS?
Your comments are appreciated.
If you inspect the javadoc for JSS[1], you'll see that it contains
libraries that can do a lot more than what a simple PKCS#11 bridge can
do. There is a *LOT* more to JSS than just doing some crypto and I use
a significant part of it. If nothing else, it has allowed me to create
some custom ASN.1 structures with the ASN.1 primitives. If you start
working within a PKI of any type you'll be happy to use the rest of the
library.
A limitation of the nss bridge is if you add a PKCS#11 module to an NSS
database such as for a smartcard, you won't be able to access that
smartcard through the bridge. If you use JSS, you can easily get lists
of modules and tokens that are configured in the DB and freely access
all of it.
As others have said, they both have their places. I think the most
attractive part of using NSS through the bridge is to very quickly and
easily add FIPS approved cryptography or an ECC implementation (though
java 7 will have ECC native, yay!).
You may not need JSS, but I do.
And yes, the SunPKCS11 bridge was added in 5
http://www.j2ee.me/j2se/1.5.0/docs/guide/security/enhancements15.html
And could access NSS more specifically (along with MS CAPI) in 6
http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html
[1] http://www.mozilla.org/projects/security/pki/jss/javadoc/
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
