On Thu, 2 Dec 2021 14:29:00 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> I don’t have any major concerns with this change, as long as the default > cacerts are still the ones that are in the JDK. As an aside, using Mozilla's > root certificates might be fine for TLS certificates, but if you need to > support code signing certificates you may run into issues with missing CAs as > Mozilla's Root program does not support that use case. Also, by overriding > the roots included in the JDK, you are taking on the responsibility (which is > significant, in my opinion) of ensuring that those roots are trusted and have > not been compromised, revoked, have weak keys, etc. @seanjmullan Thanks Sean, I'll pass your comment on, cheers Andrew ------------- PR: https://git.openjdk.java.net/jdk/pull/6647
