RFR 8189131: Open-source the Oracle JDK Root Certificates
Weijun Wang
weijun.wang at ORACLE.COM
Mon Dec 11 09:50:42 UTC 2017
> On Dec 8, 2017, at 10:45 PM, Volker Simonis <volker.simonis at gmail.com> wrote:
>
> OK, I've opened the RFR "JDK-8193255: Root Certificates should be
> stored in text format and assembled at build time" for this issue.
In fact, I would recommend we directly release cacerts as a text file containing PEM certificates, for these reasons:
- We are navigating away from JKS because it's not standard
- Certificates in PKCS12 requires a password to read
- I see no necessity for protecting cacerts, either for integrity or confidentiality, with a password
- A publicly known password is worse than no password
- Arbitrary comments (outside the ----BEGIN/END CERTIFICATE----- blocks) can be added as attributes
Thanks
Max
More information about the security-dev
mailing list