JCK made the following comment about the new getStrongSecureRandom().

>>> If there are values in the securerandom.strongAlgorithms property, must
>>> all the algorithms listed in the property be available in the
>>> implementation? I assume that the answer to this is yes.
>>
>> That's a good question. To be useful, I would think at least one
>> should be there, but that's not specifically called out in the docs.
>> How do/should we handle that?
>
> Maybe we should mention something in the spec along the lines of "an
> implementation must be available for at least one of the algorithms
> listed in securerandom.strongAlgorithms"? This way,
> getStrongSecureRandom() will be expected to return a valid
> implementation if securerandom.strongAlgorithms is not empty and will
> return null if securerandom.strongAlgorithms is empty.

It sounds reasonable to me, any objections here? I'm thinking that any JDK that passes the JCK should by default have at least at least one strongAlgorithm implementation available? This would be moot if an app tweaks their JDK config in a way that breaks the JDK, but out of the box, a strong random number generator should be required.