Summary
-------
The Java Security Standard Algorithm Names specification should be clarified to state that, as a best practice, implementations that support additional algorithms not defined in the specification can and should use the standard name of those algorithms if they are defined in later versions of the specification.
Problem
-------
The security landscape changes at a fast pace, and new and stronger algorithms and protocols are constantly being developed and standardized.
With this proposed change, we will clarify that implementations that support additional algorithms are recommended to use the standard name of those algorithms if they have been added to subsequent versions of the Java Security Standard Algorithm Names specification.
Solution
--------
See the specification section. This change will be included in the upcoming Maintenance Reviews of the Java SE 8 and 11 Platform JSRs. See https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2018-December/000308.html for more information.
This change is targeted for Java SE 8, 11 and 12 and is the same across all releases. This CSR is intended to cover both 11 and 12, thus the `fixVersion` has been set to `11-pool` and `12`. A separate CCC will be filed and targeted to `8-pool`.
Specification
-------------
Add the following sentence to the first section ("Standard Names") of the Java Security Standard Algorithm Names specification:
Note that an SE implementation may support additional algorithms
that are not defined in this specification. As a best practice, if an
algorithm is defined in a subsequent version of this specification and
an implementation of an earlier specification supports that algorithm,
the implementation should use the standard name of the algorithm
that is defined in the subsequent specification. Each SE implementation
should also document the algorithms that it supports or adds support
for in subsequent update releases. The algorithms may be documented
in release notes or in a separate document such as the JDK Security
Providers document.
With this change, the first section is now the following:
The Java SE Security API requires and uses a set of standard
names for algorithms, certificate and keystore types.
Note that an SE implementation may support additional algorithms
that are not defined in this specification. As a best practice, if an
algorithm is defined in a subsequent version of this specification and
an implementation of an earlier specification supports that algorithm,
the implementation should use the standard name of the algorithm
that is defined in the subsequent specification. Each SE implementation
should also document the algorithms that it supports or adds support
for in subsequent update releases. The algorithms may be documented
in release notes or in a separate document such as the JDK Security
Providers document.
In some cases naming conventions are given for forming names
that are not explicitly listed, to facilitate name consistency
across provider implementations. Items in angle brackets (such as
<digest> and <encryption>) are placeholders to be replaced by a
specific message digest, encryption algorithm, or other name.
Note: Standard names are not case-sensitive.