An update on ecosystem concerns removing javax.security.cert
Eirik Bjørsnøs
eirbjo at gmail.com
Mon Apr 17 07:59:45 UTC 2023
>
> I reached out to the BouncyCastle project [3] and they are basically OK
> with the OpenJDK project to go ahead and remove the APIs:
>
> I reached out to the Conscrypt team with a PR. While the PR cannot be
integrated in its current form, the ensuing discussion was instructive:
https://github.com/google/conscrypt/pull/1128
Pete provides a neat explanation of how Conscrypt is packaged and used in
the wider Opecosystem. I think the key takeaway for OpenJDK seems to be:
I think for OpenJDK and standalone Android builds, it's probably fine to
> simply drop support for the getPeerCertificateChain() API at a release
> boundary. Caveat emptor etc.
TBH we've never assumed that upstream OpenJDK would worry about us when
> making breaking changes. :) I don't mean that in a negative way, just that
> your priorities are not the same as ours and so it's up to us to react as
> needed.
Pete then goes on to explain that javax.security.cert currently isn't
formally marked as deprecated in Android Platform, so they are lagging
behind aim to align with OpenJDK in this respect.
The rest of his comments are mainly focused on the Android parts, it's a
good read for anyone interested in that.
Thanks,
Eirik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230417/13bbd6a1/attachment.htm>
More information about the security-dev
mailing list