Code review request, JDK-8168822, Document that algorithm restrictions do not apply to trusted certs

Sean Mullan sean.mullan at
Thu Oct 27 20:42:27 UTC 2016

I'm not sure I like the word "trusted". That is too general and fairly 

I would say the following: "do not apply to trust anchors or self-signed 


On 10/26/2016 08:37 PM, Xuelei Fan wrote:
> New webrev:
> On 10/27/2016 8:34 AM, Wang Weijun wrote:
>> One question: I thought for TLS, you check twice. First using
>> jdk.tls.disabledAlgorithms on cipher suites etc, and second using
>> jdk.certpath.disabledAlgorithms on certificates. Why is
>> jdk.tls.disabledAlgorithms applied to cert at all?
> jdk.tls.disabledAlgorithms also check certificates used during
> handshaking, not only cipher suites.
>> Thanks
>> Max
>> On 10/27/2016 8:30 AM, Wang Weijun wrote:
>>> I don't think this applies to jdk.jar.disabledAlgorithms. While the
>>> private key algorithm and key size are determined by the certificate, I
>>> think they are always checked even if the end-entity cert is trusted
>>> (For example, a trusted self-signed cert).
> Make sense to me.  I removed the update on jdk.jar.disabledAlgorithms.
> Thanks,
> Xuelei
>>> Thanks
>>> Max
>>> On 10/27/2016 8:04 AM, Xuelei Fan wrote:
>>>> Hi,
>>>> Please review the simple fix:
>>>> Algorithm restrictions do not apply to trusted certs as the
>>>> application or customer has made the decision to trust the "trusted
>>>> cert".  However, this point is not explicit for general developers and
>>>> users.  We'd better to clarify this point explicitly.
>>>> In the update, I add a short note for each algorithm constraint
>>>> security
>>>> properties:
>>>>    Note: Algorithm restrictions do not apply to trusted certificates.
>>>> Doc only update, no new regression test.
>>>> Thanks,
>>>> Xuelei

More information about the security-dev mailing list