Looks good to me Sean.
regards,
Sean.
On 16/01/2019 19:53, Sean Mullan wrote:
Please review this change to allow a later Symantec Policy distrust
date for two Apple subordinate CAs.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8216280/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8216280
For some background, the JDK will stop trusting TLS Server
certificates chaining back to Symantec roots, in line with similar
plans announced by Google, Mozilla, Apple, and Microsoft. The list of
affected certificates includes certificates branded as GeoTrust,
Thawte, and VeriSign, which were managed by Symantec. Any TLS Server
certificate issued after April 16, 2019 will be restricted. This
change has already been implemented and is in JDK 12 (see JDK-8207258
for more info).
Apple are actively working with DigiCert on a transition plan and have
requested a later distrust date: December 31, 2019. This later
distrust date would only apply to TLS Server certificates issued from
(or chaining back to) two Apple subordinate CAs: "Apple IST CA 2 - G1"
and "Apple IST CA 8 - G1" issued by GeoTrust root CAs. Any certificate
issued after that date will be distrusted. This change would be in
line with other vendors such as Mozilla that have granted similar
exemptions to these Apple subCAs.
Thanks,
Sean
