Parameterization of key length *and* algorithm choice (TDEA, AES), I recommend.
Bear in mind that if you don't use ICSF (or perhaps System SSL) then, most probably, secure key and protected key are foreclosed, and somebody will have to start from scratch to fix your code if/when the time comes. If you'd like a quick introduction to secure key and protected key, I recommend IBM Document No. WP100647, available here: http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100647 As something of a "Band-Aid" approach you could look at partially isolating your encryption handling routine, for example by having a storage boundary at run-time. That wouldn't be secure key or protected key, of course. It also occurs to me that there are a couple countries now, and perhaps a couple more to come, where your code would be flat out rejected since those countries tend to require use of their own national cryptographic algorithms. ICSF helps insulate your code from those considerations, too. So if your code has any possibility of market sale across a border, or if the owner of the code could expand its business into those markets, your code (as it is now) will probably need to be ripped up and completely rewritten. This thread is a microcosm of the sort of considerations professional developers *ought* to have, to at least strive to write *enduring* code -- and preferably not write code at all unless really required since custom code itself has an inherent brittleness to it. These are the sorts of considerations I try to imagine in my line of work, to imagine how the design will be flexed and evolve over time. I think it's worth spending at least a little time worrying about such issues, because then it's more likely that one creates great, durable, timeless work. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
