Sean,
I didn't check that anything else changed, but textually looks good.
One comment: you should consider including a link to RFC 5746 like we
do for all of the other RFCs.
If you have time, can you also add the link to the RFC where the
TLS_EMPTY_RENEGOTIATION_INFO_SCSV is defined?
And there were a couple spots in:
http://cr.openjdk.java.net/~mullan/5001004/review.02/StandardNames.html#alg
that are also missing the links to the RFC.
Thanks,
Brad
On 12/28/2010 7:41 AM, Sean Mullan wrote:
I have posted the 3rd revision of the required algorithms list at:
http://cr.openjdk.java.net/~mullan/5001004/review.02/StandardNames.html#impl
Changes since the initial (00) version are:
- added MD5 and HmacMD5 to the required algorithms
- added the CertPath Encodings PKCS7 and PkiPath to the required algorithms
- specified that a TLSv1 implementation must also support the special
signaling cipher suite TLS_EMPTY_RENEGOTIATION_INFO_SCSV for safe
renegotiation (see RFC 5746)
Unless there are any further substantial comments, the plan is to
proceed with this list for JDK 7.
Thanks,
Sean
On 12/15/10 10:11 AM, Sean Mullan wrote:
Hello,
Currently, the Java security APIs do not specify algorithm
requirements for
implementations of Java SE. This makes it difficult to develop
conformance
tests. Additionally, there is no guarantee that Java applications
using these
algorithms can inter-operate. See bug 5001004 for more information:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5001004
We will be addressing this issue in Java SE 7 by defining a list of
required
algorithms that all implementations must support. This is the criteria
we used
to decide if an algorithm should be required:
a) the algorithm is required by the JRE itself (ex: when validating
signed jars)
b) the algorithm is required by a higher level Java SE API such as
JSSE/TLS or
XML Signature
c) the algorithm is in wide use
Please review the following list:
http://cr.openjdk.java.net/~mullan/5001004/review.00/StandardNames.html#impl
For each required algorithm, a corresponding section will be added to
the API
class summary of the applicable engine class. For example, for
java.security.cert.CertificateFactory, the following paragraph will be
added:
Every implementation of the Java platform is required to support the
following standard CertificateFactory type:
* X.509
This type is described in the CertificateFactory section of the Java
Cryptography Architecture Standard Algorithm Names Document. Consult
the release documentation for your implementation to see if any other
types are supported.
We are requesting feedback or any questions by December 22.
Thanks,
Sean
