Cryptix JCE for Java 1.4 Released

Yoda2 writes "A new snapshot of the Cryptix Java Cryptography Extensions (JCE) API was released on the Cryptix.org site yesterday. You can download the file here. Among other things, this finally allows for PGP encryption/decryption of files from the Java JDK 1.4 when used in conjunction with Cryptix OpenPGP."

Since my submission...

[Yoda2]

The Cryptix site was actually updated since my submission to announce an updated snapshot of OpenPGP. You can download it here.

Progress

[ChaosMourn]

I'm glad to see this is finally making progress (at least their OpenPGP implementation is no longer a developer's release...), but I imagine it'll be a while yet until it's ready for commercial use. Unfortunately, it's the only game going for Java-based PGP (except for some API out of China). This leaves me doing some rather tacky things to use GPG in a commercial environment. Why is it that there's so little interest in a real Java API for PGP?

This is important

[JohnA]

Take note of this... until now, there were no open source implementations of the JCE that ran under JDK 1.4. Sun's implementation does not have source available, and they even went the extra step to obfuscate their JCE with DashO-Pro. Transparency is vital to cryptography, as anything less casts a shadow of doubt.

Just my humble opinion...

Re:great, but

[ToastedBagel]

Hmmm...

> First off, it uses Java, which is notoriously non- FREE.

Are you talking about Java Verification Program (US$15,000 wow... http://www.keylabs.com/j2ee/trademark.html). Yes, it costs you a bit to get the license, but as long as you are writing (even enterprise) application for you or your organization, it's really free, right? No source code available for Sun JDK, but it costs US$0.00 to download it and use it, doesn't it?

> Second off, they rely on the PGP encryption too, which is closed source, ...

The reason that we have PGP today is that the author decided to make it open source (for various reasons), right? I just checked PGP Corporation web site (http://www.pgp.com/display.php?pageID=51#anch107) and they say that the source code is available. Am I missing something here?

My prediction

[0x0d0a]

I predict a stunning lack of impact in the Java using world -- people will continue using insecure storage and protocols and plaintext all over the place.

Developers *like* features. They have to have security *forced* upon them.

Re:obsolete soon :(

[ToastedBagel]

> considering that Java 2.0 will be out real soon now (tm),

Java 2.0? I've been looking for information about the release of Java 2.0 for last couple of hours (since I read your post), but I haven't found any. Are you sure Sun is releasing Java 2.0? Look, even if it were true, when is it really going to be released?

What about BouncyCastle

[OttoM]

I think you are mistaken. BouncyCastle does have a JCE that is 1.5 compatible.

Cryptix is quite late with JCE compatibility.

Re:What about BouncyCastle

[OttoM]

Make that 1.4. I hit submit too soon by accident.

What I meant to say is that until now, Cryptix implements the 1.1 version of JCE. This version was never offcially released by Sun. Any decent JCE provider should implement the 1.2 version of the JCE. Luckily Cryptix now seems to to this, after a long period of little activity.

Re:What about BouncyCastle

[JohnA]

Actually, I was referring to the JCE implementation as well as the provider implementation. According to the release page, their clean room JCE doesn't run under JDK 1.4. Cryptix provides a JCE implementation that runs under 1.4, as well as their provider.

I was under the impression that the BouncyCastle license was less than free, but I was mistaken. It is a great package, and it's good to know that there are a variety of open implementations of strong crypto under Java.