Support version 1 cert generation

Sean Mullan sean.mullan at oracle.com
Wed May 18 15:05:01 UTC 2016 

On 05/17/2016 12:12 PM, Xuelei Fan wrote:
> JDK still support version 1 cert.  Developers may want to test
> version 1 support of their applications.  I agree that version 1
> should be fade out although it is still actively used the practice,
> especially as self signed cert.

I agree that we need to continue supporting them in our implementation. 
However, I don't think we should add new tool support for creating v1 
certs as that may encourage continued use of them (or misuse where it 
would be better to use extensions). I guess I don't really see a 
compelling need to support this, as a V3 certificate can also be used as 
a self-signed cert.

--Sean

>
> It may be something that we only want to consider for self-signed
> cert on request.
>
> Thanks, Xuelei
>
>> On May 17, 2016, at 7:45 PM, Sean Mullan <sean.mullan at oracle.com>
>> wrote:
>>
>> Hi Xuelei,
>>
>> Can you elaborate under what circumstances this is useful for
>> testing? X.509 v3 was first published in 1996, and v1 certificates
>> should be pretty much non-existent these days (although there are
>> some root certs that are still v1). v1 certificates do not support
>> extensions. Adding support may cause users to (accidentally) start
>> using them in practice, which would not be good. PKIX (RFC 3280)
>> states that "Conforming implementations may choose to reject all
>> version 1 and version 2 intermediate certificates." (RFC 5280,
>> section 6.1.4 step k).
>>
>> Thanks, Sean
>>
>>> On 05/17/2016 12:44 AM, Wang Weijun wrote:
>>> https://bugs.openjdk.java.net/browse/JDK-8157109 filed.
>>>
>>> --Max
>>>
>>>> On May 17, 2016, at 12:25 PM, Xuelei Fan
>>>> <xuelei.fan at oracle.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Keytool used to generate version 1 self-signed certificates.
>>>> Now it is mandatory to be version 3.  Default version 3 should
>>>> be OK.  However, in some circumstances (for example for testing
>>>> purpose), version 1 self-signed certificate may still be
>>>> useful.
>>>>
>>>> It would be a low priority, but may be nice to add an option to
>>>> support specified certificate version number for certificate
>>>> generation.
>>>>
>>>> Thanks, Xuelei
>>>
>

More information about the security-dev mailing list