A Java API for X.509 Proxy Certificates

X.509 Proxy Certificates have been proposed for use in the Grid Security Infrastructure to allow dynamic delegation of rights and single sign-on for end users. Proxy certificates are evaluated to secure a service-oriented architecture for digital content based on Web Services. This paper describes how support for proxy certificates was implemented in Java through extensions to the Java Cryptography API and related security APIs. The principal challenges involved providing control over which proxy certificate to use per SSL connection, validating proxy certificate chains and supporting runtime generation of proxy certificates.