RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v5]
Martin Balao
mbalao at openjdk.org
Wed Dec 18 23:25:39 UTC 2024
On Wed, 18 Dec 2024 21:33:29 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> We included SHA1 because there could be a legacy use case to support and it's part of the test vectors for RFC 5869 (HMAC-based Extract-and-Expand Key Derivation Function (HKDF)). We don't recommend using it, and will probably filter it out once we have the Filter integrated, but would you be okay with keeping it?
>
> Do you have any data on how many legacy use cases use it? I think for new mechanisms we should be forward looking and refrain from adding support for weak or not recommended algorithms unless there is a very good reason. It is often harder to remove something than to add it.
Yes, I see your point. We don't have data to back it up. If someone comes up with a strong case, we can reconsider it in the future. We removed it.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1890947033
More information about the core-libs-dev
mailing list