RFR: 8209452: VerifyCACerts.java failed with "At least one cacert test failed" (gtecybertrustglobalca certificate)

Sean Mullan sean.mullan at oracle.com
Wed Aug 22 13:41:26 UTC 2018


On 8/22/18 5:17 AM, Langer, Christoph wrote:
> Hi,
> 
> I've seen the changes that should allow for keeping the GTE cybertrust root ca around although it has expired on 14th of August, also this one: http://mail.openjdk.java.net/pipermail/security-dev/2018-April/017023.html
> 
> However, I'd like to ask the question if you really plan to keep this expired certificate? Shouldn't there be a replacement for it or are there plans to remove it at all some time?

There is no replacement for this root. Let me explain further why we had 
been keeping this expired root. Certificates that chain back to this 
root have been issued for TLS and code signing. With code signing 
certificates, the signed code may have also been timestamped, allowing 
that code to continue to be valid even after the code signing 
certificate (or any CA in its chain, including the root) expires. Thus, 
if we removed this root, there is a risk that we would break existing 
signed code that has been timestamped with certificates chaining back to 
this root.

That said, this is primarily a risk for signed applets and Web Start 
apps. Applets are deprecated as of JDK 9 and Oracle does not include Web 
Start in JDK 11. I am not aware of other use cases for timestamping Java 
code, anyone else? Therefore, I think it is safe and of minimal risk to 
remove this root going forward and I will file an issue to do that. It's 
too late to do that for JDK 11, but we can consider removing it in a 
subsequent update as a backport.

--Sean

> 
> Thanks & Best regards
> Christoph
> 
>> -----Original Message-----
>> From: security-dev <security-dev-bounces at openjdk.java.net> On Behalf Of
>> Sean Mullan
>> Sent: Dienstag, 14. August 2018 18:35
>> To: Rajan Halade <rajan.halade at oracle.com>; security-dev <security-
>> dev at openjdk.java.net>
>> Subject: Re: RFR: 8209452: VerifyCACerts.java failed with "At least one cacert
>> test failed"
>>
>> Looks good. When you push the changeset, can you add a Summary line with
>> more details of the fix, ex:
>>
>> Summary: allow expired certificates on exception list to pass after they
>> expire
>>
>> Thanks,
>> Sean
>>
>> On 8/14/18 12:22 PM, Rajan Halade wrote:
>>> Please review this fix to allow test to pass if expired certificate is
>>> allowed by exception list.
>>>
>>> Webrev: http://cr.openjdk.java.net/~rhalade/8209452/webrev.00/
>>>
>>> Thanks,
>>> Rajan



More information about the security-dev mailing list