On 09/09/2013 03:15 AM, Weijun Wang wrote:
UntrustedCertificates:
[65] We should log the exception (could be a parsing error, so we would
want to know that)
You mean for -Djava.security.debug=certpath?
Yes.
BlacklistedCertsConverter:
I'm a little concerned that this tool re-writes the blacklisted.certs
file each time, as a mistake could wipe out previous entries. I would
prefer if it just appended to the existing file. I would suggest that
the input be a file containing a single PEM encoded cert, and that the
tool append the hash to the blacklist.certs file, and the PEM cert to
the blacklist.pem file.
There are several reasons I chose the current approach:
1. A mistake won't wipe out previous entries, the file is in source code
control.
2. It still allows people adding comments to the blacklisted.certs.pem
file.
3. The tool will also be used to generate the file in the closed repo.
Either it will need extra arguments for files it appends to or it must
be called in the same directory. Either looks like extra burden.
4. It allows re-order of blacklisted.certs.pem file.
5. It allows the developer running the tool again and again, but not
something like
false run -> revert -> re-run.
Ok, I suppose any accidental deleted/changed entries would be fairly
obvious in a code review anyway.
--Sean
Thanks
Max
