JEP Review Request: OCSP Stapling for TLS
Xuelei Fan
xuelei.fan at oracle.com
Fri Sep 5 01:21:16 UTC 2014
On 9/3/2014 8:47 AM, Bernd Eckenfels wrote:
> Also I can understand the restriction to not require API changes I
> wonder if this is a good idea. I will come back to that later, but just
> a prelimiary question: will a TrustManager (or HostnameVerifier) be
> able to actually see and work on the OCSP response - maybe via
> getHandshakeSession()?
The configuration and validation of OCSP should be delegated to PKIX
cert path building and validation processes. Customized the
PKIXRevocationChecker and PKIXParameters would impact the behavior of
JSSE. TrustManager would also honor the PKIX configurations.
Xuelei
More information about the security-dev
mailing list