Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7024850

Consider shipping Unlimited Crypto Policy files by default.

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: 7
    • Fix Version/s: None
    • Component/s: security-libs

      Description

      Change to ship unlimited policy files by default.

      A historical note. This bug used to say:

          The files in jdk/make/closed/javax/crypto/doc are old and need to be updated. There are still the old Sun
          copyright and website links.

      That was split into JDK-7042097.

        Issue Links

          Activity

          Hide
          wetmore Bradford Wetmore added a comment -
          BT2:EVALUATION

          We have received approval to ship unlimited by default.
          Show
          wetmore Bradford Wetmore added a comment - BT2:EVALUATION We have received approval to ship unlimited by default.
          Hide
          wetmore Bradford Wetmore added a comment -
          BT2:EVALUATION

          Will file a separate bug to track update of the unlimited policy text files.
          Show
          wetmore Bradford Wetmore added a comment - BT2:EVALUATION Will file a separate bug to track update of the unlimited policy text files.
          Hide
          wetmore Bradford Wetmore added a comment -
          BT2:EVALUATION

          Code is ready, just need to get approval to make the change.
          Show
          wetmore Bradford Wetmore added a comment - BT2:EVALUATION Code is ready, just need to get approval to make the change.
          Hide
          wetmore Bradford Wetmore added a comment -
          BT2:EVALUATION

          Proposed documentation changes, based on the almost-FCS state of the JDK7 docs.

          enhancements7.html
          ==================
          Add:

          ---begin---
          The Oracle JDK implementation no longer restricts key lengths in its jurisdiction policy files.
          ---end---

          You can point to the SunProviders documents if you like.


          SunProviders.html
          =================
          In the section "Import Limits on Cryptographic Algorithms".

          ---begin---
          The Oracle implementation's default jurisdiction policy files no longer limit the key length of cryptographic algorithms. It is the user's responsibility to ensure that use of the JDK is allowed under local regulations.
          ---end---

          Then comment out the table, and add to the comment that "here are the previous values for those that might want to reuse this table.".


          CryptoSpec.html
          ===============
          Replace:

          ---begin---
          The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). Any such restrictions are specified in "jurisdiction policy files".

          Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the Java SE Development Kit 6 from Sun Microsystems specify that "strong" but limited cryptography may be used. An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCA framework will enforce the restrictions specified in the installed jurisdiction policy files.
          ---end---

          with:

          ---begin---
          The JCA framework includes the ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). These restrictions are specified in "jurisdiction policy files". By default, the Oracle JDK implementation policy files no longer has such restrictions, but other implementations may continue to do so. Applications should always be coded to account for this possibility.
          ---end---

          Then in Appendix C, change to say:

          "By default, the Oracle JDK implementation's policy files no longer restrict key sizes. For more info..."

          HowToImplAProvider
          ==================
          Remove:

          ---begin---
          Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK 6 from Sun Microsystems specify that "strong" but limited cryptography may be used. An "unlimited" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCA framework will enforce the restrictions specified in the installed jurisdiction policy files.
          ---end--

          JSSERefGuide.html
          =================

          Remove this footnote and its anchor:

              2 Cipher suites that use AES_256 require installation of the JCE
              Unlimited Strength Jurisdiction Policy Files. See Java SE Download
              Page.

          BTW, I noticed several references to Sun or Sun Microsystems in the docs.

          feel free to wordsmith that, it was very hastily written. I don't know if there is a better term than "the Oracle JDK implementation" to specify our implementation.
          Show
          wetmore Bradford Wetmore added a comment - BT2:EVALUATION Proposed documentation changes, based on the almost-FCS state of the JDK7 docs. enhancements7.html ================== Add: ---begin--- The Oracle JDK implementation no longer restricts key lengths in its jurisdiction policy files. ---end--- You can point to the SunProviders documents if you like. SunProviders.html ================= In the section "Import Limits on Cryptographic Algorithms". ---begin--- The Oracle implementation's default jurisdiction policy files no longer limit the key length of cryptographic algorithms. It is the user's responsibility to ensure that use of the JDK is allowed under local regulations. ---end--- Then comment out the table, and add to the comment that "here are the previous values for those that might want to reuse this table.". CryptoSpec.html =============== Replace: ---begin--- The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). Any such restrictions are specified in "jurisdiction policy files". Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the Java SE Development Kit 6 from Sun Microsystems specify that "strong" but limited cryptography may be used. An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCA framework will enforce the restrictions specified in the installed jurisdiction policy files. ---end--- with: ---begin--- The JCA framework includes the ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). These restrictions are specified in "jurisdiction policy files". By default, the Oracle JDK implementation policy files no longer has such restrictions, but other implementations may continue to do so. Applications should always be coded to account for this possibility. ---end--- Then in Appendix C, change to say: "By default, the Oracle JDK implementation's policy files no longer restrict key sizes. For more info..." HowToImplAProvider ================== Remove: ---begin--- Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK 6 from Sun Microsystems specify that "strong" but limited cryptography may be used. An "unlimited" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCA framework will enforce the restrictions specified in the installed jurisdiction policy files. ---end-- JSSERefGuide.html ================= Remove this footnote and its anchor:     2 Cipher suites that use AES_256 require installation of the JCE     Unlimited Strength Jurisdiction Policy Files. See Java SE Download     Page. BTW, I noticed several references to Sun or Sun Microsystems in the docs. feel free to wordsmith that, it was very hastily written. I don't know if there is a better term than "the Oracle JDK implementation" to specify our implementation.
          Hide
          wetmore Bradford Wetmore added a comment -
          This was split off from this bug id.
          Show
          wetmore Bradford Wetmore added a comment - This was split off from this bug id.
          Hide
          wetmore Bradford Wetmore added a comment -
          The corresponding update installer bug.
          Show
          wetmore Bradford Wetmore added a comment - The corresponding update installer bug.
          Hide
          wetmore Bradford Wetmore added a comment -
          Ran out of time to make this happen in JDK8 GA, see previous comment.
          Show
          wetmore Bradford Wetmore added a comment - Ran out of time to make this happen in JDK8 GA, see previous comment.
          Hide
          wetmore Bradford Wetmore added a comment -
          Both policy files ship in JDK 9, but limited is installed by default.
          Show
          wetmore Bradford Wetmore added a comment - Both policy files ship in JDK 9, but limited is installed by default.
          Hide
          wetmore Bradford Wetmore added a comment -
          JDK-8157561 adds the policy files in the distribution

          JDK-8170157 enables them by default.
          Show
          wetmore Bradford Wetmore added a comment - JDK-8157561 adds the policy files in the distribution JDK-8170157 enables them by default.

            People

            • Assignee:
              wetmore Bradford Wetmore
              Reporter:
              wetmore Bradford Wetmore
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: