Scott, thanks for the info and the background on JuiCE. Do you (or somebody else on the list) know about the threading issues you mentioned? What was the problem here?
I've looked into openSSL code and as far as I could see there should be no threading issue. There may be a threading issue if you use the same Digest/Crypto context data in several threads - this I don't do because I allocate the contexts on a per crypto/digest/signature instance. Using an openSSL binding to a JCE provider as I did it as an experiment for BC showed that we could speed up Signature processing (RSA/SHA-1) as well as encrypted key processing (RSA-OAEP) by a factor of 3-4, symmetrical encryption/decryption is about twice as fast. In addition to Raul's work (I also did some performace tests before and after his modifications - was a tremendous boost) this gives a reasonable performace for security enhanced WebService server applications. Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Scott Cantor [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 9. November 2005 01:00 > An: security-dev@xml.apache.org; wss4j-dev@ws.apache.org > Betreff: RE: JuiCE - some ideas and a proposed draft "roadmap" > > > Well, JuiCE seems to be dormant since about 1 1/2 year. The > > homepage still says the mailing lists need to be created - thus > > I'm sending this info to WSS4J and security-dev to get some > > info and feedback to the proposals/ideas listed below. > > The JuiCE idea came from some early work that was done by > some developers on > the Shibboleth (and OpenSAML) projects because early versions > of xmlsec were > extremely slow. At the time, something like JuiCE seemed like > a worthwhile > project and some people involved with WSS4J asked if we'd donate the > project, so we did. > > Shortly after that, Raul (bless him) got involved with the > xmlsec code and > did a serious number on it that basically tripled the > performance overnight. > Needless to say, the impetus for JuiCE lost its, umm, juice. > > There's certainly no objection on our part to somebody reviving it if > there's interest and effort there. > > I think one small issue left for JuiCE was to make it > properly thread safe. > > > There is one missing link: to use JuiCE we need a certificate signed > > by Sun (Sun acting as a certificate authority in this case). There > > is (somewhere in the latest doc about JCE provider) > > a description how to get such a certificate - I can check it > > and provide the necessary info. This certificate must be used to > > sign the JuiCE jar > > I think that's only required for certain things, but I don't > really remember > anymore. I know it was tested a bit by us without doing that. > > > Btw: I havn't checked it - but who has write access to the JuiCE > > SVN repos? Or can grant write access to it? > > I don't know if it's SVN, actually. I know of some of the > Shib folks that > had write access, they can chime in, but I think we'd be > happy to see others > take the lead on it. > > -- Scott > >
