An update on ecosystem concerns removing javax.security.cert
Eirik Bjørsnøs
eirbjo at gmail.com
Sat Apr 15 09:15:21 UTC 2023
Hi,
JDK-8227024 [1] and the associated CSR JDK-8227395 [2] suggests removing
the deprecated classes in javax.security.cert.
The CSR was withdrawn last year following ecosystem compatibility concerns:
Given the compatibility risks/impacts with existing providers and JSSE
> implementations, we've decided to withdraw this CSR for the time being.
I reached out to the BouncyCastle project [3] and they are basically OK
with the OpenJDK project to go ahead and remove the APIs:
It's a just cause, so go ahead and deal with it, I think all we need is
> someone to let us know when it's done and point us at a JVM so we can
> start organising the new jar.
I have also contributed the following PRs to make Tomcat, Netty, Vert.x and
Undertow aware of the plans of removal and also to provide the actual code
changes:
https://github.com/apache/tomcat/pull/608
https://github.com/netty/netty/pull/13326
https://github.com/eclipse-vertx/vert.x/pull/4665
https://github.com/undertow-io/undertow/pull/1468
Implementing these PRs was mostly straightforward, indicating that the
impact in these projects would be relatively low if these APIs would be
removed today.
I think we are in a bit of a knotty situation where the ecosystem is now
basically just waiting for OpenJDK to actually remove these APIs.
Based on my recent interaction with these projects I'm hopeful that the
ecosystem impact is lower than what has been assessed previously. I believe
we should go ahead with this removal, sooner rather than later.
Any thoughts?
Thanks,
Eirik.
[1] https://bugs.openjdk.org/browse/JDK-8227024
[2] https://bugs.openjdk.org/browse/JDK-8227395
[3] https://marc.info/?l=bouncycastle-crypto-dev&m=168154811006840&w=2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230415/5a5b4b1d/attachment.htm>
More information about the security-dev
mailing list