Am 2019-06-03 um 17:07 schrieb Sean Mullan:
On 6/2/19 11:00 AM, Weijun Wang wrote:
But it still has to be a keystore. KeyStore is designed into SSL's
TrustManagerFactory. JSSE has system properties
javax.net.ssl.trustStore* pointing to it specifying file name,
keystore type, and password. If we really use a PEM bundle, we might
need to define a new keystore type "x509" or "pem". It's certainly
cert-only, it might or might not be read-only. For the same reason I
described in the CSR, it probably should be loadable by
KeyStore.getInstance("JKS").
I can do some experiment. This won't go into JDK 13 anyway so there is
time to discuss.
It sounds like it is worth exploring the benefits of a "PEM" Keystore
implementation some more, but there is not enough time to do that in JDK
13.
Given that, I think we should delay this issue and not push it to JDK
13. I think we want to avoid a case where we end up moving cacerts from
JKS to PKCS12 and then changing our minds and moving it to PEM.
Let's take the additional release to work out what is the best long-term
solution here.
Strongly agree!
