Please Review: required security algorithms for Java SE 7 implementations

Sean Mullan sean.mullan at
Fri Dec 17 12:35:31 PST 2010

On 12/16/10 1:26 PM, Sean Mullan wrote:
>>> On 12/15/10 10:38 AM, Florian Weimer wrote:
>> Oh, and I just realized that MD5 and HmacMD5 are missing. These
>> algorithms are still heavily used (and HmacMD5 is not really broken,
>> it's only guilty by association).
> Yes, MD5 is still in use, but I think it is decreasing in use significantly. Can
> you give more rationale, for example data that would suggest that not making
> these algorithms a requirement would affect a significant number of Java
> applications or where SHA-1/HmacSHA1 would not be an adequate alternative?
> Also, just FYI but we have no plans to remove support for MD5 and HmacMD5 from
> OpenJDK.

It was pointed out to me that TLS 1.0 requires MD5 and HmacMD5. Since we have 
listed TLS 1.0 as a requirement, then those should really be added to the 
required algorithms list. So, I've added those to the list and posted a new 
version at:


More information about the security-dev mailing list