[security-dev 01126]: Re: 6840752: Provide out-of-the-box support for ECC algorithms

Andrew John Hughes gnu_andrew at member.fsf.org
Thu Aug 27 13:52:17 UTC 2009


2009/8/27 Vincent Ryan <Vincent.Ryan at sun.com>:
> Hello Andrew,
>
> Our original intention was to provide a Java implementation of ECC.
>
> However due to software patents already granted for ECC we were
> constrained in what we could reasonably resource and openly discuss.
>
> In the end we opted to reuse the NSS code from OpenSolaris (which was
> originally developed at Sun Labs and donated to OpenSSL and NSS).
>
> Although, on many non-Windows platforms, this does result in an existing
> system library being replicated in the JDK perhaps that issue can be
> solved in future by making use of modules.
>
>
>
> Andrew John Hughes wrote:
>> With this changeset:
>>
>> http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/1ff7163fc5f7
>>
>> the new ECC was added to OpenJDK.  When I first read about this, I'd
>> assumed we were getting a Java-based implementation.  The final
>> changeset seem to just be an inclusion of the NSS code into the
>> OpenJDK codebase, which adds yet another case where a system library
>> is replicated internally (the others being libjpeg, libpng, zlib, lcms
>> and probably others I've missed).
>>
>> Is this correct? Were there local modifications to this code as well?
>>
>> As seems to be common practice with OpenJDK, this changeset just
>> appeared with very little, if any, public discussion.
>

Hi Vincent,

Thanks for the explanation.  That makes things clearer.  I guess
that's yet another reason for me to hate software patents :)

I actually think that continuing with the NSS implementation may be
the better course of action.  It means that the same well-tested
implementation (and one that has been FIPS certified) is being used
rather than adding yet another.  Fedora actually have an effort to
make all their packages use NSS
(http://fedoraproject.org/wiki/FedoraCryptoConsolidation) so this fits
in well with that.

The problem is more the fact that it's an additional copy rather than
using the system installation, which means it has to be patched for
bugs and security fixes separately.  For IcedTea, I'll look at
providing and using the option of using the system NSS and will also
submit this for review here if there is interest in providing such an
option.
-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8



More information about the security-dev mailing list