RFR (12): 8212669: Add note to Cipher javadoc about using full transformation and not relying on defaults
Xuelei Fan
xuelei.fan at oracle.com
Thu Nov 1 15:56:14 UTC 2018
Okay. Looks fine to me.
Thanks,
Xuelei
On 11/1/2018 8:47 AM, Sean Mullan wrote:
> On 11/1/18 11:27 AM, Xuelei Fan wrote:
>> What do you think if adding a note that the default value may be
>> different for each provider, and may be changed from time to time with
>> the development of crypto analysis?
>
> I didn't want to get too wordy, just to make a concise point that
> defaults can be problematic and are not recommended. My preference would
> be to put more wording like that in the security guides.
>
> --Sean
>
>>
>> Xuelei
>>
>> On 11/1/2018 7:57 AM, Sean Mullan wrote:
>>> Please review this javadoc-only change to the Cipher class. An
>>> @apiNote has been added to each of the getInstance methods to
>>> recommend that the full transformation be specified when creating a
>>> Cipher and to avoid relying on the defaults. Also a link to the
>>> defaults used by the JDK providers has been added as an @implNote.
>>>
>>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8212669/webrev.00/
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8212669
>>>
>>> Thanks,
>>> Sean
More information about the security-dev
mailing list