Draft design for Key Derivation API

Adam Petcher adam.petcher at oracle.com
Mon Nov 20 16:09:50 UTC 2017


On 11/19/2017 3:15 PM, Michael StJohns wrote:

>
>> That behavior all sounds reasonable, I just have doubts that this 
>> belongs in the spec. Are you expecting KeyDerivation to contain the 
>> logic in your last paragraph? Something like this:
>>
>> <snip>
>>
>>
> KDFs are somewhat problematic in that *_they may not necessarily be 
> producing objects from their own provider_*. This unfortunately isn't 
> obvious, but let me try and explain.
>
> <snip>

Your response didn't contain a direct answer to my question above. If I 
am interpreting your response correctly, then your answer is "Yes, and 
we may need some additional information in DerivationParameterSpec (or 
elsewhere) that controls this logic." Though I'm not sure I am 
interpreting this correctly, so please let me know.

To be clear: I don't object to including the method that returns an 
Object produced by a KDF. I'm specifically asking about the requirement 
that this class of objects has a (byte[] int) constructor, and how that 
constructor is expected to be used.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20171120/475798ea/attachment.html>


More information about the security-dev mailing list