RFR: 8315487: Security Providers Filter [v17]
Martin Balao
mbalao at openjdk.org
Tue Dec 17 23:02:48 UTC 2024
On Tue, 17 Dec 2024 21:24:16 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
> Then, please redefine the scope and purpose of this feature. It is just a part of the solution. Xuelei
I see it differently. It's a solution for the problem that we think it is worth addressing from the JDK/JCA perspective. It's not a framework to assist security providers with their FIPS configuration and certification process: they will need to implement self-integrity tests, register the algorithms and algorithm parameters they have certified for a specific version, and possibly many other requirements. If they change the algorithms, they will have to go through the certification process again —not just change a Filter rule—. A security provider that registers non-FIPS approved algorithms will not get a certification anyways. The problem that we have is with non-FIPS providers that make available crypto that shouldn't be used. Perhaps I can add a non-goal to the JEP, if it helps to clarify this confusion.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/15539#issuecomment-2549828885
More information about the core-libs-dev
mailing list