On 11/6/2019 11:27 AM, Sean Mullan wrote:
Please remove this change to remove the Java SE requirements to
implement security algorithms based on DES, MD5, or ECB. It makes
sense to periodically review these requirements and remove algorithms
or modes that are known to be weak and of which usage has declined
significantly and thus compatibility risk is much lower.
Note that we are not removing the actual implementations of these
algorithms from the JDK. This just means that an SE implementation is
not required to support these algorithms.
webrev: https://cr.openjdk.java.net/~mullan/webrevs/8214483/webrev.00/
CSR: https://bugs.openjdk.java.net/browse/JDK-8233607
Thanks,
Sean
I don't have a problem with removing DES or MD5 from the must-implement
list, but ECB is a fundamental building block mode. It's going to be
how you implement a new mode before there's specific support for that
mode. Pretty much any mode can be implemented using ECB as its only
real crypto operation. E.g. CBC, CTR, CCM, GCM, CFB, OFB etc are all
wrapped around ECB in some form. Please continue to require that it be
implemented. Policy MAY restrict the use of the mode for a given key,
but that's a provider issue.
Mike