Shibboleth Developers

[Brent Putman <>]

Scott Cantor wrote:

Should we doc how to obtain these other policy files?
    

Then we have to change our documentation when Sun changes theirs. We should
point to Sun's

Yes, I would agree there.

assuming we're even requiring their JCE, which I don't think
we are.
  

No, we're not requiring Sun's JCE provider, at least not explicitly - but the policy change is not in the JCE providers that are loaded, it's in other security policy jar files, containing Java security policies that get loaded.  I believe it applies to all JCA providers that are loaded, e.g. BouncyCastle.  I suspect that all the Sun-derived JRE's have the same policies, and maybe even other ones like IBM.  I'll check on the latter when I get a chance.

I think that's a good argument for including BC instead...didn't we talk
about doing that?
  

Well, we already include their library jar as a dependency, b/c we're using some code from (ASN.1 I think).  But to actually install it as a JCA security provider, you have to fiddle with the java.security config file (or else do it programatically, which we probably don't want to do).  However, I think this is a separate issue from the jurisdiction policy files, see above.


--Brent