mhall at mhcomputing.net
Fri Jun 14 09:56:23 PDT 2013
I asked about this once before. I didn't get very far because Java doesn't try to be compliant with FIPS or any of the other standards relating to key security. In addition with the garbage collector relocating things it is difficult to ensure you've really emptied these objects out in the way you claim to be.
Sent from my mobile device.
Michael StJohns <mstjohns at comcast.net> wrote:
>Generic questions for possible future work:
>As a general guideline, would it make sense to add
>javax.security.auth.Destroyable to the set of interfaces for SecretKey
>and PrivateKey implementation objects where possible?
>Should the methods that use secret and private keys check to see if
>those keys implement the Destroyable interface to see if they should
>call isDestroyed() from that interface prior to using the key?
More information about the security-dev