[security-dev 00886]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
Xuelei Fan
Xuelei.Fan at Sun.COM
Tue Jun 9 04:01:00 UTC 2009
Sean Mullan wrote:
> Xuelei Fan wrote:
>
>> Many, many Verisign root certs are V1, and the intermediate cert are V3.
>
> I believe that is because many Verisign roots were issued in the late
> 1990's and perhaps v3 (published in 1996) had not gained enough
> support in the market yet.
>
> I am wondering if you know if there are legitimate use cases of CAs
> still issuing v1/v2 root certificates?
I'm not sure. Most of the new CAs are compliant with the V3 specifications.
> If not, I'm not sure it is really worth fixing this. Instead I would
> recommend fixing the regression test.
>
I have never found any root CA that need to issue a root self-issued
certificate for key rollover or any other reason. It does not sounds
like a hava-to-fix bug. I have a look at my Firefox certificate store,
there are a few V1 certificate issued around 1998 or 1999, and validate
until 2028/2036, I think it is not bad to support key renew in case of
one day the feature is needed.
The updates has putback into JDK7/TL workspace,
http://hg.openjdk.java.net/jdk7/tl/jdk/rev/045743e0eb2d.
Thanks,
Andrew
More information about the security-dev
mailing list