RFC: When to include 8243559 in 8u? (Remove root certificates with 1024-bit keys)
Severin Gehwolf
sgehwolf at redhat.com
Wed Mar 17 17:49:21 UTC 2021
Hi,
I'm currently working on an 8u backport of 8243559[0]. The question
I'd have for the community is how do people feel about an appropriate
"heads-up" for users that those weak certificates will soon be gone.
How long should the heads-up be? One release cycle (1 quarter), 2
release cycles, 3 release cycles? JDK 11 settled for 3 quarters for the
deprecation warning until weak root certificates got removed.
Mozilla has phased out 1024 bit root certificates in 2015[1].
If we removed root certificates in 8u302, users would have one release
cycle, i.e. one quarter, to notice the planned removal via the
deprecation warning when actually trying to sign jars or use them for
certpath processing. Note that the deprecation warning got added to
8u292 (to be released this April) via JDK-8172404. Since July 2021 will
be when other JDK releases remove them, I propose to remove them in
OpenJDK 8u at that time with 8u302 as well.
Thoughts? Objections?
Thanks,
Severin
[0] https://bugs.openjdk.java.net/browse/JDK-8243559
[1] https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/
More information about the jdk8u-dev
mailing list