Code Note

The String.toUpperCase() or String.toLowerCase() method is locale sensitive, and may produce unexpected results if used for strings that are intended to be interpreted locale independently.

A tool to dumpl PKCS#11 slot information

If a certificate is issued with a authority information access extension which indicates the OCSP access method and location, one can enable the default implementation of OCSP checker during building or validating a certification path.

Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010.

Per the TLS specification (page 39, section 7.4.2, RFC2246), the certificate list passed to server Certificate message or client Certificate message "is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it."

there is a risk of interoperability problems between ITU-T X.509 compliant implementations and PKIX compliant implementations.

Is there any way to enable JSSE debug logging with timestamp? Definitely, the answer is YES. It is straightforward.

RFC5280 categorize certificate into two classes: CA certificates and end entity certificates, and CA certificates are divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates.

The SunJSSE provider now supports an experimental FIPS 140 compliant mode. When enabled and used in combination with the SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant.

TLS AES ciphersuites for JSSE and the SunJSSE provider