cacerts and OSX

Bradford Wetmore bradford.wetmore at oracle.com
Thu May 31 09:44:10 PDT 2012 

Taking 2 responses in reverse order, Henri wrote:

 > Ok, so I'll have to mimic OpenJDKs packaging performed on Linux
 > distribution, using Mozilla provided CA certs.

I felt the need to respond to this thread after seeing this statement.

You need to check with Mozilla and your lawyers as to whether you can 
just use theirs for an OpenJDK-based build.  CA certs are not something 
to just grab just so your impl works.  There are legal issues involved 
here, which is the reason we (Oracle) had to include an empty CA file in 
the first place.

It is your responsibility as an OpenJDK builder to resolve the legal 
issues.  Please don't take this lightly.

On 5/31/2012 8:29 AM, Scott Kovatch wrote:
> On May 31, 2012, at 7:39 AM, Henri Gomez<henri.gomez at gmail.com>  wrote:
>
>>> CA certificate management is non-trivial matter. Right now it's
>>> pretty much orthogonal to OpenJDK development, and it's something
>>> for downstream distributors to handle.
>>>
>>> Personally, I'd like to keep it that way for OpenJDK 7 updates as
>>> I don't see the need for doing it in this Project, given that OpenJDK
>>> 7u distributors as well as organizations building their own JDKs
>>> based on OpenJDK 7u typically have their own ways of managing CA
>>> certificates in place specific to their needs.
>>
>> My question wasn't clear.
>> cacerts inclusion for OSX was at packaging level, ie like those I
>> didn't on openjdk-osx-build, so after stock OpenJDK build process.
>
> Henri, I think this is something you would have to bring up with Apple. The cacerts file in Apple's JDK was generated from the certificates in the 'System Roots' keychain (or, it was the last time I was responsible for doing it), so you may not have the legal right to redistribute it. As usual, there are no lawyers here.
>
> As Dalibor says, each JDK distributor or licensee is responsible for obtaining their own root certificates, and in Apple's case, they are already distributed via the OS, so the JDK was covered by those licenses.

This is probably moot now, but if I squinted, tilted my head to a 
certain angle, and created some ambiguity in pronouns :) , I could 
potentially misread what I think Scott was trying to say here.  What 
might be clearer:

     ... and in Apple's case, the CA certs are already distributed via
     the *Apple OS*, so *Apple's* JDK was covered by those licenses.

Your *OpenJDK*-based build likely is not covered by those Apple 
licenses, and thus you need to check with Apple if you could use theirs.

Hope this helps, I didn't want you to think "since I didn't hear 
anything further, my approach must be ok."

Brad

More information about the jdk7u-dev mailing list