Sean Mullan wrote:
Xuelei Fan wrote:

Many, many Verisign root certs are V1, and the intermediate cert are V3.

I believe that is because many Verisign roots were issued in the late 1990's and perhaps v3 (published in 1996) had not gained enough support in the market yet.

I am wondering if you know if there are legitimate use cases of CAs still issuing v1/v2 root certificates?
I'm not sure. Most of the new CAs are compliant with the V3 specifications.
If not, I'm not sure it is really worth fixing this. Instead I would recommend fixing the regression test.

I have never found any root CA that need to issue a root self-issued certificate for key rollover or any other reason. It does not sounds like a hava-to-fix bug. I have a look at my Firefox certificate store, there are a few V1 certificate issued around 1998 or 1999, and validate until 2028/2036, I think it is not bad to support key renew in case of one day the feature is needed.

The updates has putback into JDK7/TL workspace, http://hg.openjdk.java.net/jdk7/tl/jdk/rev/045743e0eb2d.

Thanks,
Andrew

Reply via email to