Make the Java Authentication and Authorization Service (JAAS) a part of the core API so applications can authenticate based on whose running the code.
Move the Java Cryptography Extension (JCE) into the core API, but use code signing to prevent non-U.S. friendly countries from using strong encryption. (See Who Trusts the Trustees? Trusted Security Providers in the Java Cryptography Extension 1.2.1)
Add the Certification
Path API (
to support certificate chains
Support Generic Security Service API Version 2: Java Bindings; i.e. Kerberos
Support RSA's PKCS (Public-Key Cryptography Standards)