CSR RFR: 8233228: Support named curves for all disabledAlgorithms

Sean Mullan sean.mullan at oracle.com
Tue Dec 10 13:57:20 UTC 2019


In general, this CSR looks good. Here are my specific comments:

- The Scope should be "JDK" since these are JDK supported security 
properties.

- The Fix Version should also include 7-pool.

- I would change the summary to "This change adds named elliptic curves 
to the jdk.[tls|certpath|jar].disabledAlgorithms security properties."

- In the Summary and/or Solution sections, you should add that you are 
disabling these legacy curves by default, and add some rationale as to 
why we are doing that. I don't see that specifically mentioned anywhere.

- In the Solution section, missing a period at end of first sentence.

- In the Solution section, there is a typo in the property name 
"jdk.disabled.NamedCurve" (should be plural).

- Typo: "full property name used" -> "full property name is used"

Comments in Specification section:
----------------------------------

1. Change:

+# in jdk.[tls|certpath|jar].disabledAlgorithms.  To include this list 
in any

to:

+# in the jdk.[tls|certpath|jar].disabledAlgorithms properties.  To 
include this list in any

2. We don't support the brainpoolP160r1, brainpoolP192r1, 
brainpoolP224r1 curves, so these don't need to be listed.

3. +# properities.  See the property for details.

Typo: "properties"

--Sean

On 12/9/19 1:10 PM, Anthony Scarpino wrote:
> I need a CSR review for the change with policy and property addition for 
> 8233228.
> 
> https://bugs.openjdk.java.net/browse/JDK-8235540
> 
> Tony
> 



More information about the security-dev mailing list