RFR: 7192189: Support endpoint identification algorithm in RFC 6125
Sean Mullan
mullan at openjdk.java.net
Fri Mar 4 16:51:58 UTC 2022
On Fri, 4 Mar 2022 16:33:45 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
> About the CSR, did you have a plan to update the "Endpoint Identification Algorithms" in the [Java Security Standard Algorithm Names](https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#endpoint-identification-algorithms) documentation? Currently, the "HTTPS" name is defined for RFC 2818. With this update is may be worth to mention the compliant to RFC 6125, like
>
> ```
> HTTPS | RFC 2818, compliant with RFC 6125
> ```
I thought about that but I was hesitant to do that, because technically RFC 6125 does not obsolete RFC 2818 and there has been no successor to RFC 2818. So I would rather treat RFC 6125 as an implementation-specific feature of the JDK TLS implementation; in other words we chose to make our implementation compliant with RFC 6125 but other implementations may choose not to and still be compliant with RFC 2818. Since RFC 2818 is somewhat ambiguous/vague with respect to what components can use wildcards, I believe the JDK implementation is still compliant with 2818. I realize this is not a perfect situation, but if we do this via the API, then I think we need new APIs such that older implementations that may be less strict about wildcards are still compatible with 2818 if they choose.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7697
More information about the security-dev
mailing list