[Update]: JEP 249 (OCSP Stapling for TLS)

Xuelei Fan xuelei.fan at oracle.com
Wed Jul 1 01:53:07 UTC 2015


On 7/1/2015 7:38 AM, Jamil Nimeh wrote:
>> src/java.base/share/classes/sun/security/validator/PKIXValidator.java
>> =====================================================================
>> minor comment:
>>
>> Is it more instinctive if changing the parameter name from responseList
>> to ocspResponses, and the method name from addResponses() to
>> addOcspResponses()?
>>
>> Same for SimpleValidator.java and Validator.java.
> I've tried to not use "ocsp" in the names, only because OCSP is just one
> type of stapled response for certificate revocation status. Granted, it
> is the only one used today.  I didn't want to use a term that denoted
> that the only kind of data coming through CertificateStatus is OCSP
> data, since in the future it may be something different.  I know there
> are places where I didn't adhere to my own rule, but I really tried to
> where I could.
Good point.

I had the same concern for the spec of
ExtendedSSLSession.getStatusResponses().  If the response other than
OCSP, may need to specify the type of the response.  I'm OK with the
current API as OCSP is the only cert status we know so far:
    public List<byte[]> getStatusResponses()

Alternatively, if you want the flexibility to support types other than
OCSP, the API may look like:
    public Map<int, List<byte[]>> getStatusResponses()

Xuelei


More information about the security-dev mailing list