java.security still talks about "limited" as default

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

java.security still talks about "limited" as default

Bernd Eckenfels-4
Hello,

in the OpenJDK 9.0.1 java.security file is the crypto.policy=unlimited set.

However the boilerplate text above still speaks of "limited" as a default:

# Due to the import control restrictions of some countries, the default
# JCE policy files allow for strong but "limited" cryptographic key
# lengths to be used.  If your country's cryptographic regulations allow,
# the "unlimited" strength policy files can be used instead, which contain
# no restrictions on cryptographic strengths.

I guess this needs to be adjusted.

BTW: does anybody know examples of where limited would be needed?

Gruss
Bernd
Reply | Threaded
Open this post in threaded view
|

Re: java.security still talks about "limited" as default

Bradford Wetmore
This was fixed in:

     https://bugs.openjdk.java.net/browse/JDK-8186093

Sadly, it was noticed too late in JDK 9/9.0.1 to fix for GA of those
releases.

Brad



On 11/13/2017 9:19 AM, Bernd wrote:

> Hello,
>
> in the OpenJDK 9.0.1 java.security file is the crypto.policy=unlimited set.
>
> However the boilerplate text above still speaks of "limited" as a default:
>
> # Due to the import control restrictions of some countries, the default
> # JCE policy files allow for strong but "limited" cryptographic key
> # lengths to be used.  If your country's cryptographic regulations allow,
> # the "unlimited" strength policy files can be used instead, which contain
> # no restrictions on cryptographic strengths.
>
> I guess this needs to be adjusted.
>
> BTW: does anybody know examples of where limited would be needed?
>
> Gruss
> Bernd