RFR: 8225433: Clarify behavior of PKIXParameters.setRevocationEnabled when PKIXRevocationChecker is used
Sean Mullan
mullan at openjdk.java.net
Wed Apr 27 12:26:43 UTC 2022
On Wed, 27 Apr 2022 06:44:37 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> This change improves the specification for the case when a `PKIXRevocationChecker` is supplied as one of the `CertPathChecker` parameters. Specifically, it makes it more clear that a `PKIXRevocationChecker` overrides the default revocation checking mechanism of a PKIX service provider, and will be used to check revocation irrespective of the setting of the RevocationEnabled parameter.
>>
>> Will also file a CSR.
>
> src/java.base/share/classes/java/security/cert/PKIXParameters.java line 339:
>
>> 337: * #setCertPathCheckers setCertPathCheckers} methods).
>> 338: * <p>
>> 339: * However, if a {@code PKIXRevocationChecker} is passed in as a parameter
>
> The word "However" may be not necessary as the previous paragraph is ending with a substitute mechanism. This sentence could be a further explanation of the substitute mechanism.
Yes, that's a fair point. I am going to change "However, if" to "Note that when". The reason is that I want to use some words to call special attention to this paragraph as the most important point of this is "it will be used to check revocation irrespective of the setting of the RevocationEnabled flag.", which the previous paragraphs did not explain.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8287
More information about the security-dev
mailing list