[Bug 2390] [IcedTea7] Make elliptic curve removal optional
bugzilla-daemon at icedtea.classpath.org
bugzilla-daemon at icedtea.classpath.org
Wed Feb 24 13:52:20 UTC 2016
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2390
Tomas Gustavsson <tomas at primekey.se> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
CC| |tomas at primekey.se
Resolution|FIXED |---
--- Comment #5 from Tomas Gustavsson <tomas at primekey.se> ---
I think this is a bad choice. The legal issues with ECC I guess is related to
CertiCom patents, which are on specific implementation detail, which nobody is
using in the wild. And applies equally much to the three remaining curves, so
you have solved nothing regarding potential legal issues.
I'm ok with using BouncyCastle instead of JDK crypto for most things, but for
PKCS#11 the Java PKCS#11 provider should not be crippled. Java does not perform
crypto even.
The world is embrazing ECC right now, and Java goes the opposite direction?
Most GNU/Linux distributions ship with OpenSSL, that supports more curves. I
think there are other reasons for NSS only shipping these, such as "nobody
implemented anything else in NSS".
Can RedHat package with "--enable-non-nss-curves" enabled.
Using NSS as the baseline norm for crypto is too limiting.
(I know you will resolve this again, but I want to nudge, that there is a large
world using other curves out there, with well studied, i.e. no legal issues)
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20160224/7ba0d875/attachment-0001.html>
More information about the distro-pkg-dev
mailing list