Code review request, JDK-8168822, Document that algorithm restrictions do not apply to trusted certs

Thu Oct 27 20:42:27 UTC 2016

I'm not sure I like the word "trusted". That is too general and fairly 
subjective.

I would say the following: "do not apply to trust anchors or self-signed 
certificates".

--Sean

On 10/26/2016 08:37 PM, Xuelei Fan wrote:
> New webrev:
>     http://cr.openjdk.java.net/~xuelei/8168822/webrev.01/
>
> On 10/27/2016 8:34 AM, Wang Weijun wrote:
>> One question: I thought for TLS, you check twice. First using
>> jdk.tls.disabledAlgorithms on cipher suites etc, and second using
>> jdk.certpath.disabledAlgorithms on certificates. Why is
>> jdk.tls.disabledAlgorithms applied to cert at all?
>>
> jdk.tls.disabledAlgorithms also check certificates used during
> handshaking, not only cipher suites.
>
>> Thanks
>> Max
>>
>> On 10/27/2016 8:30 AM, Wang Weijun wrote:
>>> I don't think this applies to jdk.jar.disabledAlgorithms. While the
>>> private key algorithm and key size are determined by the certificate, I
>>> think they are always checked even if the end-entity cert is trusted
>>> (For example, a trusted self-signed cert).
>>>
> Make sense to me.  I removed the update on jdk.jar.disabledAlgorithms.
>
> Thanks,
> Xuelei
>
>>> Thanks
>>> Max
>>>
>>> On 10/27/2016 8:04 AM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Please review the simple fix:
>>>>
>>>>     http://cr.openjdk.java.net/~xuelei/8168822/webrev/
>>>>
>>>> Algorithm restrictions do not apply to trusted certs as the
>>>> application or customer has made the decision to trust the "trusted
>>>> cert".  However, this point is not explicit for general developers and
>>>> users.  We'd better to clarify this point explicitly.
>>>>
>>>> In the update, I add a short note for each algorithm constraint
>>>> security
>>>> properties:
>>>>
>>>>    Note: Algorithm restrictions do not apply to trusted certificates.
>>>>
>>>> Doc only update, no new regression test.
>>>>
>>>> Thanks,
>>>> Xuelei