RFR [12]: 8195793: Remove GTE CyberTrust Global Root
Sean Mullan
sean.mullan at oracle.com
Thu Oct 18 15:04:13 UTC 2018
Please review this change to remove the GTE CyberTrust Global Root from
the cacerts keystore. This root is expired and all certificates that
chain back to this root have expired.
Note that retaining roots past their expiration date may make sense in
some cases. For example, if we removed a root it could break signed code
that had been previously timestamped. It may make sense to allow for a
transition period for those apps to be signed and re-deployed using new
certificates.
However, this is much less of a risk going forward. Applets have been
deprecated since JDK 9 and WebStart apps are not supported as of
(Oracle) JDK 11. These were the primary use cases for signed and
timestamped code that I am aware of.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8195793/webrev.00/
Thanks,
Sean
More information about the security-dev
mailing list