RFR (12): 8212669: Add note to Cipher javadoc about using full transformation and not relying on defaults

Sean Mullan sean.mullan at oracle.com
Thu Nov 1 15:47:12 UTC 2018


On 11/1/18 11:27 AM, Xuelei Fan wrote:
> What do you think if adding a note that the default value may be 
> different for each provider, and may be changed from time to time with 
> the development of crypto analysis?

I didn't want to get too wordy, just to make a concise point that 
defaults can be problematic and are not recommended. My preference would 
be to put more wording like that in the security guides.

--Sean

> 
> Xuelei
> 
> On 11/1/2018 7:57 AM, Sean Mullan wrote:
>> Please review this javadoc-only change to the Cipher class. An 
>> @apiNote has been added to each of the getInstance methods to 
>> recommend that the full transformation be specified when creating a 
>> Cipher and to avoid relying on the defaults. Also a link to the 
>> defaults used by the JDK providers has been added as an @implNote.
>>
>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8212669/webrev.00/
>> bug: https://bugs.openjdk.java.net/browse/JDK-8212669
>>
>> Thanks,
>> Sean



More information about the security-dev mailing list