On 1/10/18 11:44 PM, Weijun Wang wrote:
The class spec of SignedObject.java [1] contains:* <pre>{@code * Signature signingEngine = Signature.getInstance(algorithm, * provider); * SignedObject so = new SignedObject(myobject, signingKey, * signingEngine); * }</pre> ... * <p> The signature algorithm can be, among others, the NIST standard * DSA, using DSA and SHA-256. The algorithm is specified using the * same convention as that for signatures. The DSA algorithm using the * SHA-256 message digest algorithm can be specified, for example, as * "SHA256withDSA". In the case of * RSA or EC the signing algorithm could be specified as, for example, * "SHA256withRSA" or "SHA256withECDSA". The algorithm name must be * specified, as there is no default. * * <p> The name of the Cryptography Package Provider is designated * also by the Signature parameter to the constructor and the * {@code verify} method. If the provider is not * specified, the default provider is used. Each installation can * be configured to use a particular provider as default. While the signature algorithm and provider name can be interpreted as those used in the example, I think there is no need to describe them in so much detail in the class spec. The class contains no API that needs the signature algorithm or a provider name. All is needed is just a Signature object. getAlgorithm() returns the algorithm but it's not input. I suggest removing the last 2 paragraphs above, and IMO no CSR is needed.
Sounds good. I agree no CSR is needed. --Sean
