On 05/17/2016 12:12 PM, Xuelei Fan wrote:
JDK still support version 1 cert. Developers may want to test
version 1 support of their applications. I agree that version 1
should be fade out although it is still actively used the practice,
especially as self signed cert.
I agree that we need to continue supporting them in our implementation.
However, I don't think we should add new tool support for creating v1
certs as that may encourage continued use of them (or misuse where it
would be better to use extensions). I guess I don't really see a
compelling need to support this, as a V3 certificate can also be used as
a self-signed cert.
--Sean
It may be something that we only want to consider for self-signed
cert on request.
Thanks, Xuelei
On May 17, 2016, at 7:45 PM, Sean Mullan <sean.mul...@oracle.com>
wrote:
Hi Xuelei,
Can you elaborate under what circumstances this is useful for
testing? X.509 v3 was first published in 1996, and v1 certificates
should be pretty much non-existent these days (although there are
some root certs that are still v1). v1 certificates do not support
extensions. Adding support may cause users to (accidentally) start
using them in practice, which would not be good. PKIX (RFC 3280)
states that "Conforming implementations may choose to reject all
version 1 and version 2 intermediate certificates." (RFC 5280,
section 6.1.4 step k).
Thanks, Sean
On 05/17/2016 12:44 AM, Wang Weijun wrote:
https://bugs.openjdk.java.net/browse/JDK-8157109 filed.
--Max
On May 17, 2016, at 12:25 PM, Xuelei Fan
<xuelei....@oracle.com> wrote:
Hi,
Keytool used to generate version 1 self-signed certificates.
Now it is mandatory to be version 3. Default version 3 should
be OK. However, in some circumstances (for example for testing
purpose), version 1 self-signed certificate may still be
useful.
It would be a low priority, but may be nice to add an option to
support specified certificate version number for certificate
generation.
Thanks, Xuelei
