RFR: 3 security-libs release notes on keytool/krb5/etc

Sean Mullan sean.mullan at oracle.com
Mon Apr 3 15:50:03 UTC 2017


On 3/29/17 10:33 AM, Sean Mullan wrote:
> https://bugs.openjdk.java.net/browse/JDK-8176087
> keytool now prints warnings when reading or generating cert/cert req
> using weak algorithms
>
>> In all keytool functions, if the certificate/certificate request/CRL
>> that is working on (whether it be the input, the output, or an
>> existing object) is using a weak algorithm or key, a warning will be
>> printed out.

"working on" sounds a bit awkward. Also not sure it you need to mention 
all functions, and input, output, etc - I think that should be implied. 
You probably also want to mention the fix in 
https://bugs.openjdk.java.net/browse/JDK-8177569 here. How about:

"With one exception, keytool will always print a warning if the 
certificate, certificate request, or CRL it is parsing or verifying is 
using a weak algorithm or key. When the `-trustcacerts` option is 
specified or the `cacerts` keystore is being directly operated on, 
keytool will not print a warning for certificates in the `cacerts` 
keystore that have been signed with a weak signature algorithm."

>> Precisely, an algorithm or a key is weak if it matches the value of
>> the jdk.certpath.disabledAlgorithms security property defined in
>> conf/security/java.security.

Put the property name and file name in single backquotes, ex: 
`jdk.certpath.disabledAlgorithms`. Also I would say "in the 
`conf/security/java.security` file."

--Sean


More information about the security-dev mailing list