Notification: Certificate Transparency JEP (JDK-8171275)

Jamil Nimeh jamil.j.nimeh at oracle.com
Mon Sep 14 16:19:46 UTC 2020


Hello all,

I wanted to let folks on the alias know that development of the 
Certificate Transparency feature for JSSE is now under way.  I've posted 
the JEP here:

https://bugs.openjdk.java.net/browse/JDK-8171275

The design is in the early stages and there are a number of things that 
are TBD at this point.  Some of the big ones:

  * How the client will consume and store log information
  * How we deal with the thresholds for pass/fail validity checks on
    SCTs collected during the handshake
  * Assuming the server will support providing SCTs in the TLS
    extension, where it will consume and store the serialized SCTs.

There are a few others.  At this point I've got the consumption of SCTs 
in the handshake by the client working for X.509 certs and TLS 
extensions and the OCSP stapling method is in progress.

The JEP will be updated in the weeks to come as the open design elements 
are addressed.

Thanks,

--Jamil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200914/b1f7e3b8/attachment.htm>


More information about the security-dev mailing list