RFC: When to include 8243559 in 8u? (Remove root certificates with 1024-bit keys)
Andrew Hughes
gnu.andrew at redhat.com
Wed Mar 17 20:18:59 UTC 2021
On 18:49 Wed 17 Mar , Severin Gehwolf wrote:
> Hi,
>
> I'm currently working on an 8u backport of 8243559[0]. The question
> I'd have for the community is how do people feel about an appropriate
> "heads-up" for users that those weak certificates will soon be gone.
> How long should the heads-up be? One release cycle (1 quarter), 2
> release cycles, 3 release cycles? JDK 11 settled for 3 quarters for the
> deprecation warning until weak root certificates got removed.
>
> Mozilla has phased out 1024 bit root certificates in 2015[1].
>
> If we removed root certificates in 8u302, users would have one release
> cycle, i.e. one quarter, to notice the planned removal via the
> deprecation warning when actually trying to sign jars or use them for
> certpath processing. Note that the deprecation warning got added to
> 8u292 (to be released this April) via JDK-8172404. Since July 2021 will
> be when other JDK releases remove them, I propose to remove them in
> OpenJDK 8u at that time with 8u302 as well.
>
> Thoughts? Objections?
>
> Thanks,
> Severin
>
> [0] https://bugs.openjdk.java.net/browse/JDK-8243559
> [1] https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/
>
I agree with removing them in 8u302 to be consistent with other JDK releases.
If users really do need these certificates, they can add them locally.
I suspect the deprecation period was designed with Oracle's JDKs in
mind, intending to apply across the whole range from 7 to 17. Oracle
have been shipping this set of certificates much longer than OpenJDK.
The certificates were not open-sourced until JDK-8189131 [0] in
OpenJDK 10 in late 2017. There were not backported to 8u until 8u222
in July 2019. As a result, the window for adoption is much smaller
with OpenJDK; just over three years for those using 10 and later, and
less than two for those on 8u.
As they are a relatively new addition to OpenJDK, many vendors will
have provided alternative solutions many years earlier and likely have
stuck with those since OpenJDK's introduction of its own
certificates. In our case, with Fedora & RHEL, we generate our own
cacerts from the Mozilla root certificates, so will have removed
1024-bit certificates in 2015 as you mention.
I would need a very strong argument for OpenJDK 8 to be the only JDK
still carrying these certificates after July. It is unfortunate that
the deprecation work wasn't backported earlier, but I don't think this
warrants carrying insecure certificates for longer than other JDKs.
As to the backporting, I think we do need to consider how backports
are prioritised. I'm seeing a few like this that should have been done
earlier (I have a list of ones I have seen in recent 11u build
promotions and intend to look at for 8u), while we seem to be getting
a lot of 8u backports for rather trivial test and build fixes.
[0] https://bugs.openjdk.java.net/browse/JDK-8189131
Thanks,
--
Andrew :)
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk8u-dev
mailing list