[12] RFR: 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs

Seán Coffey sean.coffey at oracle.com
Thu Jan 17 18:20:00 UTC 2019

Looks good to me Sean.


On 16/01/2019 19:53, Sean Mullan wrote:
> Please review this change to allow a later Symantec Policy distrust 
> date for two Apple subordinate CAs.
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8216280/webrev.00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8216280
> For some background, the JDK will stop trusting TLS Server 
> certificates chaining back to Symantec roots, in line with similar 
> plans announced by Google, Mozilla, Apple, and Microsoft. The list of 
> affected certificates includes certificates branded as GeoTrust, 
> Thawte, and VeriSign, which were managed by Symantec. Any TLS Server 
> certificate issued after April 16, 2019 will be restricted. This 
> change has already been implemented and is in JDK 12 (see JDK-8207258 
> for more info).
> Apple are actively working with DigiCert on a transition plan and have 
> requested a later distrust date: December 31, 2019. This later 
> distrust date would only apply to TLS Server certificates issued from 
> (or chaining back to) two Apple subordinate CAs: "Apple IST CA 2 - G1" 
> and "Apple IST CA 8 - G1" issued by GeoTrust root CAs. Any certificate 
> issued after that date will be distrusted. This change would be in 
> line with other vendors such as Mozilla that have granted similar 
> exemptions to these Apple subCAs.
> Thanks,
> Sean

More information about the security-dev mailing list