Woha, having a specific property named after an brand looks awfully specific and even hostile. (Yes it can be removed in a future version when all existing certs are expected to expire, but having code patches distributed for such policy enforcement does look like a heavy gun)
Won’t it be a bettter idea to have a generic blacklist framework (with thumbrint and forced end date), maybe even by using WebStart blacklist technology? (Or just put the list with new syntax in the algorithm restriction properties - the list is long but if it’s limited to the thumbprints it should be doable) Also, since this (without OCSP stapling or CT) somewhat trust symantec to not backdate issuances, why not trust them to not issue new ones? Just wait for a few more month and remove them completely from the cacerts file. (After all, this is not a Web Browser) Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: security-dev <security-dev-boun...@openjdk.java.net> im Auftrag von Sean Mullan <sean.mul...@oracle.com> Gesendet: Freitag, Dezember 7, 2018 7:03 PM An: security Dev OpenJDK Betreff: RFR (12): 8207258: Distrust TLS server certificates anchored by Symantec Root CAs Please review this change to Distrust TLS server certificates anchored by Symantec Root CAs. Although the restrictions won't kick in until after 12 GA, the fix touches code that validates certificate chains, so getting this into 12 now will provide more assurance that the chain validation code continues to work properly. webrev: http://cr.openjdk.java.net/~mullan/webrevs/8207258/webrev.01/ issue: https://bugs.openjdk.java.net/browse/JDK-8207258 Please see the recently posted blog for more information about the restrictions that are being imposed: https://blogs.oracle.com/java-platform-group/jdk-distrusting-symantec-tls-certificates Thanks, Sean
