Looks good to me Sean.

regards,
Sean.

On 16/01/2019 19:53, Sean Mullan wrote:
Please review this change to allow a later Symantec Policy distrust date for two Apple subordinate CAs.

webrev: http://cr.openjdk.java.net/~mullan/webrevs/8216280/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8216280

For some background, the JDK will stop trusting TLS Server certificates chaining back to Symantec roots, in line with similar plans announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec. Any TLS Server certificate issued after April 16, 2019 will be restricted. This change has already been implemented and is in JDK 12 (see JDK-8207258 for more info).

Apple are actively working with DigiCert on a transition plan and have requested a later distrust date: December 31, 2019. This later distrust date would only apply to TLS Server certificates issued from (or chaining back to) two Apple subordinate CAs: "Apple IST CA 2 - G1" and "Apple IST CA 8 - G1" issued by GeoTrust root CAs. Any certificate issued after that date will be distrusted. This change would be in line with other vendors such as Mozilla that have granted similar exemptions to these Apple subCAs.

Thanks,
Sean

Reply via email to