RFR: JEP 249 (OCSP Stapling for TLS)

Thomas Lußnig openjdk at suche.org
Sun Jun 21 19:12:19 UTC 2015 

On 21.06.2015 17:56, Jamil Nimeh wrote:
>
> The X509TrustManager, if configured to do revocation checking at all,
> should handle the checks so the client doesn't have to.  Can you tell
> me a little more about what environment a customer would want to
> re-check the responses above and beyond what is done already?  Could
> those checks be done with a custom CertPathChecker registered with the
> PKIXBuilderParameters used in the trust manager?
One example would be Certificate Transparency that use the same response
message but with other content.
>> http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java.patch
>>
>> - Why not allow to toggle each of the extensions individually ?
>>    I think after Heartbleed this would be an good idee
>> +        if (enableStatusRequestExtension) {
>> +            clientHelloMessage.addCertStatusReqListV2Extension();
>> +            clientHelloMessage.addCertStatusRequestExtension();
>> +        }
> I suppose we could, I didn't because I just didn't want two more
> properties, that's all.  At one point there was some discussion about
> a single property that could be used to toggle the presence of
> multiple extensions, which could help prevent an explosion in the
> number of enable/disable properties related to TLS extensions. Maybe
> we need to reopen that discussion.
Even one property would be ok if it is not boolean but decimal.
0 := Off
1 := Simple Request
2 := ListV2 Request
3 := Both Types

>> http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/src/java.base/share/classes/sun/security/x509/PKIXExtensions.java.patch
>>
>> - Why to break the comments earlyer ?
>>
>>
> You lost me on this last one, can you clarify what you mean?  Do you
> not like where I added the OCSP nonce definition?
There are many changes like these sample where only the line length is
changes.
I ask because today the monitors become wider but not higher so if we
have small line length but many lines the screen contain less information.
The qeustion is if the changes are due to some new rules.

-     * Allows additional identities to be bound to the subject of the certificate.
+     * Allows additional identities to be bound to the subject of the
+     * certificate.

Gruß Thomas

More information about the security-dev mailing list