From: Seán Coffey [mailto:[email protected]]
> Sent: Freitag, 14. Juli 2017 12:17
> To: Anthony Scarpino ; Sean Mullan
> ; Langer, Christoph
> Cc: OpenJDK Security
> Subject: Re: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
> party JCE provider
>
&
Tony,
I think we should log a JDK 8u bug for this issue if one doesn't already
exist. If the buggy SigAlgName was allowed in 8u updates already, then
it should be continued to be allowed for compatibility reasons IMO.
There might be time to revert that change in 8u152.
For 9, then maybe we c
On 07/12/2017 07:45 AM, Sean Mullan wrote:
On 7/11/17 3:10 PM, Langer, Christoph wrote:
In any case, from what you are saying, I take that I can safely patch
our JDK distribution with this change without doing a bad thing to
security in general, wouldn't you agree?
Yes, I agree.
Also, note
On 07/13/2017 11:26 AM, Anthony Scarpino wrote:
On 07/12/2017 11:59 PM, Langer, Christoph wrote:
I then suggest to also revert JDK10 and 9 to use
X509CertImpl.getSigAlgName() forthe time being until some better
check to go for the encoded AlgorithmId. Would you be fine with
that
Looking back at
On 07/12/2017 11:59 PM, Langer, Christoph wrote:
Hi Sean,
So, I guess I would be fine if this could at least be changed for JDKs <= 8 for
compatibility reasons. I can understand if for JDK >= 9 we say this is a new
release and the standard algorithm names shall be enforced. Wouldn't that
be a
Hi Sean,
> > So, I guess I would be fine if this could at least be changed for JDKs <= 8
> > for
> compatibility reasons. I can understand if for JDK >= 9 we say this is a new
> release and the standard algorithm names shall be enforced. Wouldn't that
> be a good compromise?
>
> Yes. In fact I t
On 7/11/17 3:10 PM, Langer, Christoph wrote:
Well, probably you are right that it is not a bug - at least when you look at
the documentation of Java9 (the link that you have cited).
However, if we look at the documentation of X509Certificate, it's not that clear, resp. it wasn't for
pre JDK9 r
istoph ; Anthony Scarpino
Cc: OpenJDK Security ; Dieter Bratko
Betreff: Re: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
party JCE provider
Hi Christoph,
On 7/11/17 5:43 AM, Langer, Christoph wrote:
> Hi,
>
> I'd like to ping you again upon that question. In t
Hi Sean,
thanks for coming back on this.
> > I'd like to ping you again upon that question. In the meanwhile I have
> produced a standalone test case and could verify that changing to x509Cert
> vs. the original cert for obtaining the SigAlgName would be a fix. I can share
> the test with you, ho
Langer, Christoph
Sent: Sonntag, 9. Juli 2017 07:57
To: 'Anthony Scarpino' ; 'Sean Mullan'
Cc: OpenJDK Security ; 'Dieter Bratko'
Subject: RE: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
party JCE provider
Hi Tony et. al.,
I'm wondering why
at line being
> reverted?
>
> Thanks & Best regards
> Christoph
>
> > -----Original Message-
> > From: security-dev [mailto:[email protected]] On
> > Behalf Of Anthony Scarpino
> > Sent: Montag, 13. Februar 2017 22:48
> > To: OpenJDK Security
> > Subject: [RFR] 8174849: Change SHA1 certpath restrictions
> >
> > Hi,
> >
> > I need a quick review on a simple certpath config change.
> >
> > http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
> >
> > thanks
> >
> > Tony
t that line being reverted?
Thanks & Best regards
Christoph
> -Original Message-
> From: security-dev [mailto:[email protected]] On
> Behalf Of Anthony Scarpino
> Sent: Montag, 13. Februar 2017 22:48
> To: OpenJDK Security
> Subject: [RFR] 8174849: Ch
The attacks against SHA-1 certificates are very real. SHA1 signatures
are spoofable at a relatively low cost and that cost is only getting
cheaper. Most other mature clients (browsers, etc) have an extremely
aggressive rejection of SHA1 signatures.
Why is Java9 rolling this back? What is breaking?
On 2/14/17 2:33 AM, Bernd Eckenfels wrote:
Hello,
The bug does not explain why. I would understand to completely deny SHA1
(I.e. Unconditionally), but allowing it seems strange, especially
without a justification.
The initial disabling of SHA-1 certificates in JDK 9 is too broad and
affects a
Hello,
The bug does not explain why. I would understand to completely deny SHA1 (I.e.
Unconditionally), but allowing it seems strange, especially without a
justification.
Gruss
Bernd
--
http://bernd.eckenfels.net
On Mon, Feb 13, 2017 at 10:57 PM +0100, "Anthony Scarpino"
wrote:
Looks fine. You'll need to add a noreg label to the bug though.
--Sean
On 2/13/17 4:47 PM, Anthony Scarpino wrote:
Hi,
I need a quick review on a simple certpath config change.
http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
thanks
Tony
Hi,
I need a quick review on a simple certpath config change.
http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
thanks
Tony
17 matches
Mail list logo
