We could examine a mechansim for keystore applications to override the default PBE algorithm for protecting keys and certs. Maybe extend KeyStore.LoadStoreParameter?
On 1 Oct 2012, at 18:50, Michael StJohns wrote: > My main reason for suggesting this is that the all but one of the algorithm > suites defined in PKCS12 are either deprecated or prohibited by NIST > guidance. The undeprecated suite appears to be the default one used by the > java implementation. It would be nice to have a choice. > > See below. > > At 12:51 PM 10/1/2012, Vincent Ryan wrote: >> Hello Mike, >> >> The new PBE algorithms in JEP-121, such as PBEWithHmacSHA256AndAES_128, >> could certainly be used >> for PKCS12 keystores within Java environments - the problem is maintaining >> interoperability with existing >> crypto toolkits and web browsers. > > Yup - but someone has to be first.... :-) > > Mike > > >> Is there any interest among those on this list in promoting wider support >> for these PBE algorithms? >> >> Thanks. >> >> >> On 1 Oct 2012, at 17:06, Michael StJohns wrote: >> >>> At 08:27 PM 9/28/2012, mark.reinh...@oracle.com wrote: >>>> Posted: http://openjdk.java.net/jeps/166 >>>> >>>> - Mark >>> >>> This seems at least partially related to JEP 121 and maybe even dependent >>> on it. Might be useful to have a cross reference. Also, probably useful >>> to decide/state a new default PKCS12 algorithm? E.g. maybe >>> PBEwithSHA256andAES-128? >>> >>> Mike >>> >>> > >
