RFR: 8225433: Clarify behavior of PKIXParameters.setRevocationEnabled when PKIXRevocationChecker is used

Sean Mullan mullan at openjdk.java.net
Wed Apr 27 12:26:43 UTC 2022


On Wed, 27 Apr 2022 06:44:37 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> This change improves the specification for the case when a `PKIXRevocationChecker` is supplied as one of the `CertPathChecker` parameters. Specifically, it makes it more clear that a `PKIXRevocationChecker` overrides the default revocation checking mechanism of a PKIX service provider, and will be used to check revocation irrespective of the setting of the RevocationEnabled parameter.
>> 
>> Will also file a CSR.
>
> src/java.base/share/classes/java/security/cert/PKIXParameters.java line 339:
> 
>> 337:      * #setCertPathCheckers setCertPathCheckers} methods).
>> 338:      * <p>
>> 339:      * However, if a {@code PKIXRevocationChecker} is passed in as a parameter
> 
> The word "However" may be not necessary as the previous paragraph is ending with a substitute mechanism.  This sentence could be a further explanation of the  substitute mechanism.

Yes, that's a fair point. I am going to change "However, if" to "Note that when". The reason is that I want to use some words to call special attention to this paragraph as the most important point of this is "it will be used to check revocation irrespective of the setting of the RevocationEnabled flag.", which the previous paragraphs did not explain.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8287


More information about the security-dev mailing list