On Tue, 17 Dec 2024 21:24:16 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
> Then, please redefine the scope and purpose of this feature. It is just a > part of the solution. Xuelei I see it differently. It's a solution for the problem that we think it is worth addressing from the JDK/JCA perspective. It's not a framework to assist security providers with their FIPS configuration and certification process: they will need to implement self-integrity tests, register the algorithms and algorithm parameters they have certified for a specific version, and possibly many other requirements. If they change the algorithms, they will have to go through the certification process again —not just change a Filter rule—. A security provider that registers non-FIPS approved algorithms will not get a certification anyways. The problem that we have is with non-FIPS providers that make available crypto that shouldn't be used. Perhaps I can add a non-goal to the JEP, if it helps to clarify this confusion. ------------- PR Comment: https://git.openjdk.org/jdk/pull/15539#issuecomment-2549828885
