Notes from the Java Reference Implementation Group
Date: October 21, 2010
Time: 3:00 - 4:00 PM EST
Attendees: Beau, Greg, Pat, Michael, Tim, Chris

Notes

  • Greg
    • Completed the intermediate certificate validation
      • All intermediate certs are expected to be in the storage specified in the config (all DNS, or all keystore, etc)
    • Has been helping Tim with the configuration service
      • UI testing and suggestions
    • Published more documentation for the web configuration for the agent
    • Published documentation for new jars
    • Published documentation for running config-service in a dev environment (jetty, derby)
    • Identified an issue with deploying config-service and config-ui in tomcat (freezes)
      • Temporary solution is to modify the web.xml to prevent auto loading
    • Identified a requirement of Java 1.6 for config
    • Created a tool for creating PKCS12s
      • Working on a swing tool for additional utility functionality
    • Talked about addresses in the UI
      • Trying to figure out a way to create James users based off the addresses in the storage
      • Pat mentioned that James 3 can use a db for users

  • Tim
    • Continuing to work on the UI and has made great progress
      • Moving cert view to separate view
      • Made sure anchors were associated with domain names
      • Incoming and outgoing flags
      • Delete propagation
      • Settings view

  • Vince
    • Completed the ATNA logging for XD
    • Moved configuration params to the web.xml

  • Pat
    • Had questions about LDAP
    • Wondered about storage of private keys
    • Michael commented on his setup
      • Not using HPD as a public directory
      • Using it with an internal address book
      • Data is currently binary
        • Working on getting X509 functional
      • Modifying the HPD as necessary
      • Planning on having everything stored in LDAP
      • Public and private keys will be in separate instances for production
    • Cerner is using their own custom schema
    • Greg commented on current limitations
      • Can only store things in one attribute field
      • Data can only be X509 or PKCS12 (b64 encoded)
        • If we need additional work, we can do it.. just didn't have requirements
        • Attribute field defined in the XML (can be anything you want)
      • Private key has to be encrypted
        • Passphrase attribute to decrypt

  • Misc Discussion
    • Anchors are not checked for expiration dates
      • Can be changed if requirements need it
    • Recommended deprecating using keystores
      • In favor of config-service
    • Adding new domains requires an agent restart
    • Adding new anchors requires an agent restart
    • Adding private certs will be pulled by the agent