Sean Mullan wrote:
Xuelei Fan wrote:
Many, many Verisign root certs are V1, and the intermediate cert are V3.
I believe that is because many Verisign roots were issued in the late
1990's and perhaps v3 (published in 1996) had not gained enough
support in the market yet.
I am wondering if you know if there are legitimate use cases of CAs
still issuing v1/v2 root certificates?
I'm not sure. Most of the new CAs are compliant with the V3 specifications.
If not, I'm not sure it is really worth fixing this. Instead I would
recommend fixing the regression test.
I have never found any root CA that need to issue a root self-issued
certificate for key rollover or any other reason. It does not sounds
like a hava-to-fix bug. I have a look at my Firefox certificate store,
there are a few V1 certificate issued around 1998 or 1999, and validate
until 2028/2036, I think it is not bad to support key renew in case of
one day the feature is needed.
The updates has putback into JDK7/TL workspace,
http://hg.openjdk.java.net/jdk7/tl/jdk/rev/045743e0eb2d.
Thanks,
Andrew