[Bug 2390] [IcedTea7] Make elliptic curve removal optional

[bugzilla-daemon at icedtea.classpath.org]

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2390

--- Comment #9 from Andrew John Hughes <gnu.andrew at redhat.com> ---
(In reply to Tomas Gustavsson from comment #8)
> Sorry, will not re-open again.
> 

It just doesn't really help anything, especially if the fix has shipped. In
general, the right course is to file a new bug with the new issue.

> It _used_ to be that if the PKCS#11 provider was configured with a full
> featured PKCS#11 stack such as SafeNet, Thales, Utimaco or any other
> hardware security module, these curves _were_ usable. 
> 
> I still withhold. With these changes Java is less usable for security
> interested industries such as Banking, government etc, which does use other
> curves.
> Saying that it's configurable when building OpenJDK doesn't help much since
> banks and others want to use RHEL with packaged Java.

It doesn't, but it's all we can do here. This is the wrong place to resolve the
issue of how a distribution configures a package. If you're unhappy with the
choices a distribution makes on how to package a piece of software, you should
file a bug with the distribution, not the upstream project.

There is an OpenJDK issue here in that the static list of curves is shared with
both the SunEC & PKCS11 providers and duplicated between both Java code and
native SunEC provider code. The providers should instead be probed for the
curves they support, but that's not something that can change in a released
version, as it affects the API.

> 
> Cheers,
> Tomas

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20160301/2c497cf1/attachment.html>