RFR: 3 security-libs release notes on keytool/krb5/etc
Sean Mullan
sean.mullan at oracle.com
Mon Apr 3 15:50:03 UTC 2017
On 3/29/17 10:33 AM, Sean Mullan wrote:
> https://bugs.openjdk.java.net/browse/JDK-8176087
> keytool now prints warnings when reading or generating cert/cert req
> using weak algorithms
>
>> In all keytool functions, if the certificate/certificate request/CRL
>> that is working on (whether it be the input, the output, or an
>> existing object) is using a weak algorithm or key, a warning will be
>> printed out.
"working on" sounds a bit awkward. Also not sure it you need to mention
all functions, and input, output, etc - I think that should be implied.
You probably also want to mention the fix in
https://bugs.openjdk.java.net/browse/JDK-8177569 here. How about:
"With one exception, keytool will always print a warning if the
certificate, certificate request, or CRL it is parsing or verifying is
using a weak algorithm or key. When the `-trustcacerts` option is
specified or the `cacerts` keystore is being directly operated on,
keytool will not print a warning for certificates in the `cacerts`
keystore that have been signed with a weak signature algorithm."
>> Precisely, an algorithm or a key is weak if it matches the value of
>> the jdk.certpath.disabledAlgorithms security property defined in
>> conf/security/java.security.
Put the property name and file name in single backquotes, ex:
`jdk.certpath.disabledAlgorithms`. Also I would say "in the
`conf/security/java.security` file."
--Sean
More information about the security-dev
mailing list