Developing with JXTA

OriginalGoals and Expectations from the PSE Membership.

As described on a Email Sent to the JXTA user mailing list on March 23rd 2005, what I was trying to achieve with the JXTA security is to create a certificate based authentication peer group. This peer group would allow or deny peers based on whether their X509 Certificates were signed by Trusted Peers. Also the super peers would also have their certificates signed by a self signed "Certificate Authority". This would prevent "rogue" Super Peers.

To make it easier, these trusted peers would assume the following charges:

• Super Peers
• Advertising the "Certificate" peer group
• Rendez vous and relay services for both netPeerGroup and the "Certificate" Peer Group

For the rest of today's posting I'll call this Certificate Peer Group, the "SAXTA peer group".

In short, the Certificate Trust Chain would be:

• Certificate Authority (CA) --Signing--> Super Peers --Signing--> edge peers.

Envisioned Steps to Achieve these goals

The Steps I was planning to go through to get there were:

1. Create a self sign CA.
2. Create a certificate based authentication peer group whose certificate is signed by the CA. That includes:
1. Generate a X509 + Private Key Pair for the peer group.
2. Have the CA sign the X509 (by emailing a cert request for instance). I saw that being an "off line" process.
3. Build a Membership Service based on the signed X509 + Private Key Pair. I was expecting the PSE Membership to do so.
3. Having edge peers joining the peer group via a certificate Base authentication
1. Having the Edge Peer generate a X509 + Private Key Pair for peer group membership.
2. Having the Peer Proup manager sign the edge peer certificate. Again, I saw that being an "off line" process.
3. Have the edge peer contact a super peer, exchange certificates:
1. Having the edge peer verify that the super peer certificate is valid using the CA's X509 (The CA X509 is bundled into the application).
2. Having the super peer verify that the edge peer membership application is valid by looking at its certificate and see if is it signed by an authorized super peer (again by making sure the super peer's certificate has been signed by the CA).
4. Finally, having the Edge Peer join the peer group

Getting Started

I was very happy to receive a reply to my March 23rd Email from the JXTA user list saying that this approach could make sense. Yes ! Let's get to work !!!
I was actually expecting the PSEMembership to provide pretty much to all these functionalities. Otherwise I told myself, what would have been the point of using X509 Certificate, key stores, root certificates, etc. in the PSE Membership?
I could not wait to finish a prototype, then come up with a "good" design and re-implementation. I would then turn it into a "tutorial" and propose it to replace the "Secure Peer Group" example in the JXTA Programmer's Manual I wrote years ago. This stuff is really old and given the encryption method, it does not provide actually much added security.

A month later, I am still in the prototyping phase. Even though, I don't have the opportunity to actually work on the coding part more than 30-40% of the time, it is still much more frustrating that I though...