RFR CSR for 8162628: Migrating cacerts keystore to password-less PKCS12 format

Michael Osipov 1983-01-06 at gmx.net
Mon Jun 3 18:47:18 UTC 2019


Am 2019-06-03 um 17:07 schrieb Sean Mullan:
> On 6/2/19 11:00 AM, Weijun Wang wrote:
>> But it still has to be a keystore. KeyStore is designed into SSL's
>> TrustManagerFactory. JSSE has system properties
>> javax.net.ssl.trustStore* pointing to it specifying file name,
>> keystore type, and password. If we really use a PEM bundle, we might
>> need to define a new keystore type "x509" or "pem". It's certainly
>> cert-only, it might or might not be read-only. For the same reason I
>> described in the CSR, it probably should be loadable by
>> KeyStore.getInstance("JKS").
>>
>> I can do some experiment. This won't go into JDK 13 anyway so there is
>> time to discuss.
>
> It sounds like it is worth exploring the benefits of a "PEM" Keystore
> implementation some more, but there is not enough time to do that in JDK
> 13.
>
> Given that, I think we should delay this issue and not push it to JDK
> 13. I think we want to avoid a case where we end up moving cacerts from
> JKS to PKCS12 and then changing our minds and moving it to PEM.
>
> Let's take the additional release to work out what is the best long-term
> solution here.

Strongly agree!


More information about the security-dev mailing list