[RFR] 8174849: Change SHA1 certpath restrictions

Sean Mullan sean.mullan at oracle.com
Tue Feb 14 13:07:38 UTC 2017


On 2/14/17 2:33 AM, Bernd Eckenfels wrote:
> Hello,
>
> The bug does not explain why. I would understand to completely deny SHA1
> (I.e. Unconditionally), but allowing it seems strange, especially
> without a justification.

The initial disabling of SHA-1 certificates in JDK 9 is too broad and 
affects all certificates. The compatibility risk at this time is too 
high to make that change. We are working on an updated plan which will 
focus initially on TLS Server certificates. More details will be 
provided later.

Thanks,
Sean

>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
>
>
>
>
> On Mon, Feb 13, 2017 at 10:57 PM +0100, "Anthony Scarpino"
> <anthony.scarpino at oracle.com <mailto:anthony.scarpino at oracle.com>> wrote:
>
>     Hi,
>
>     I need a quick review on a simple certpath config change.
>
>     http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
>
>     thanks
>
>     Tony
>



More information about the security-dev mailing list