RFR (12): 8207258: Distrust TLS server certificates anchored by Symantec Root CAs

Bernd Eckenfels ecki at zusammenkunft.net
Fri Dec 7 18:19:32 UTC 2018


Woha, having a specific property named after an brand looks awfully specific and even hostile. (Yes it can be removed in a future version when all existing certs are expected to expire, but having code patches distributed for such policy enforcement does look like a heavy gun)

Won’t it be a bettter idea to have a generic blacklist framework (with thumbrint and forced end date), maybe even by using WebStart blacklist technology? (Or just put the list with new syntax in the algorithm restriction properties - the list is long but if it’s limited to the thumbprints it should be doable)

Also, since this (without OCSP stapling or CT)  somewhat trust symantec to not backdate issuances, why not trust them to not issue new ones? Just wait for a few more month and remove them completely from the cacerts file. (After all, this is not a Web Browser)

Gruss
Bernd
--
http://bernd.eckenfels.net

________________________________
Von: security-dev <security-dev-bounces at openjdk.java.net> im Auftrag von Sean Mullan <sean.mullan at oracle.com>
Gesendet: Freitag, Dezember 7, 2018 7:03 PM
An: security Dev OpenJDK
Betreff: RFR (12): 8207258: Distrust TLS server certificates anchored by Symantec Root CAs

Please review this change to Distrust TLS server certificates anchored
by Symantec Root CAs. Although the restrictions won't kick in until
after 12 GA, the fix touches code that validates certificate chains, so
getting this into 12 now will provide more assurance that the chain
validation code continues to work properly.

webrev: http://cr.openjdk.java.net/~mullan/webrevs/8207258/webrev.01/
issue: https://bugs.openjdk.java.net/browse/JDK-8207258

Please see the recently posted blog for more information about the
restrictions that are being imposed:
https://blogs.oracle.com/java-platform-group/jdk-distrusting-symantec-tls-certificates

Thanks,
Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181207/cdc739aa/attachment.htm>


More information about the security-dev mailing list