[12] RFR: 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
Seán Coffey
sean.coffey at oracle.com
Thu Jan 17 18:20:00 UTC 2019
Looks good to me Sean.
regards,
Sean.
On 16/01/2019 19:53, Sean Mullan wrote:
> Please review this change to allow a later Symantec Policy distrust
> date for two Apple subordinate CAs.
>
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8216280/webrev.00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8216280
>
> For some background, the JDK will stop trusting TLS Server
> certificates chaining back to Symantec roots, in line with similar
> plans announced by Google, Mozilla, Apple, and Microsoft. The list of
> affected certificates includes certificates branded as GeoTrust,
> Thawte, and VeriSign, which were managed by Symantec. Any TLS Server
> certificate issued after April 16, 2019 will be restricted. This
> change has already been implemented and is in JDK 12 (see JDK-8207258
> for more info).
>
> Apple are actively working with DigiCert on a transition plan and have
> requested a later distrust date: December 31, 2019. This later
> distrust date would only apply to TLS Server certificates issued from
> (or chaining back to) two Apple subordinate CAs: "Apple IST CA 2 - G1"
> and "Apple IST CA 8 - G1" issued by GeoTrust root CAs. Any certificate
> issued after that date will be distrusted. This change would be in
> line with other vendors such as Mozilla that have granted similar
> exemptions to these Apple subCAs.
>
> Thanks,
> Sean
More information about the security-dev
mailing list