[12] RFR: 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
Sean Mullan
sean.mullan at oracle.com
Wed Jan 16 19:53:39 UTC 2019
Please review this change to allow a later Symantec Policy distrust date
for two Apple subordinate CAs.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8216280/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8216280
For some background, the JDK will stop trusting TLS Server certificates
chaining back to Symantec roots, in line with similar plans announced by
Google, Mozilla, Apple, and Microsoft. The list of affected certificates
includes certificates branded as GeoTrust, Thawte, and VeriSign, which
were managed by Symantec. Any TLS Server certificate issued after April
16, 2019 will be restricted. This change has already been implemented
and is in JDK 12 (see JDK-8207258 for more info).
Apple are actively working with DigiCert on a transition plan and have
requested a later distrust date: December 31, 2019. This later distrust
date would only apply to TLS Server certificates issued from (or
chaining back to) two Apple subordinate CAs: "Apple IST CA 2 - G1" and
"Apple IST CA 8 - G1" issued by GeoTrust root CAs. Any certificate
issued after that date will be distrusted. This change would be in line
with other vendors such as Mozilla that have granted similar exemptions
to these Apple subCAs.
Thanks,
Sean
More information about the security-dev
mailing list