On 5/8/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
Enrique,
just wondering, is all this code complies with US rules about
cryptography ?
1) We're using crypto in the JDK. We moved to JDK crypto 100% when
we removed the Bouncy Castle dependency.
2) US export policy restricts key size. For example, the Sun and IBM
JDK's ship with AES256 crypto, but it is disabled by policy. There is
an exception thrown when AES-256 is not enabled.
(a) Because 256-bit AES keys are used in the Kerberos encryption type
'aes256-cts-hmac-sha1-96', you must install the "unlimited strength"
policy file for it it work.
(b) Similarly, the KeyDerivationService interceptor, which is now
responsible for generating 256-bit AES keys, requires the "unlimited
strength" policy for it to automatically generate 256-bit bits.
Enrique
