RFR 8177291: [doc] weak algorithms and crypto policy in JGSS docs

Sean Mullan sean.mullan at oracle.com
Mon Apr 3 13:35:24 UTC 2017

Hi Max,

Just a few comments:

"The default jurisdiction policy files bundled in Java SE is now 
unlimited, which means the AES-256 encryption type is available by default."


"The DES based encryption types (including des-cbc-md5 and des-cbc-crc) 
are disabled by default."

Was this in the 8.0 release? If not, we probably should not list it here 
because this is for features in the major releases.

"In "Goal of this exercise", remove "and DES", "DES-CBC-MD5" and 

I can't find this sentence in the doc. Also, these algorithms are still 
supported, just not enabled by default, so we should list them in the 
supported section.

"At the end of this section, add "Note: DES based encryption types are 
disabed by default."


"First, you need to update to use the KDC that supports the required 
Kerberos encryption types, such as latest Solaris or the MIT Kerberos 
from MIT distribution. If you are using Active Directory on a Windows 
platform, the latest version also supports RC4-HMAC and AES encryption 

s/to use the KDC/the KDC/

s/such as latest Solaris or the MIT Kerberos from MIT distribution./such 
as the latest version of Solaris or the latest version of Kerberos from 
the MIT distribution./


On 3/20/17 10:01 PM, Weijun Wang wrote:
> This is not exactly a code review, I'd like you to review my suggested
> changes on the JGSS guides in
>   https://bugs.openjdk.java.net/browse/JDK-8177291
> If everything is OK, I can pass it to the doc writer.
> Thanks
> Max

More information about the security-dev mailing list