JEP 288: Disable SHA-1 Certificates

ecki at zusammenkunft.net ecki at zusammenkunft.net
Thu Apr 21 20:18:02 UTC 2016


Hello, can answer the first question myself, the additional attribute deny after is not documented in the JEP but in this task:

https://bugs.openjdk.java.net/browse/JDK-8153777

Gruss
Bernd

-----Original Message-----
From: ecki at zusammenkunft.net
To: security-dev at openjdk.java.net
Sent: Do., 21 Apr. 2016 10:51
Subject: Re: JEP 288: Disable SHA-1 Certificates

Hello,

Two questions: the condition "starting on 2017-01-01" will this be part of the general algorithm deprecation or the jdkCA qualifier. I.e. if I add "SHA1" with no qualifier, will it be in effect immediatelly?

The exception for timestamped code, does it also consider the actual signature hash algorithm? (Asuming SHA1 would be to weak I could also forge an backdated TS signature).

I guess it is implicitely stated but not spelled out: the self signature on root certificates is not considered part of the path checking and can be SHA1, right?

Gruss
Bernd

-- 
http://bernd.eckenfels.net

-----Original Message-----
From: mark.reinhold at oracle.com
To: sean.mullan at oracle.com
Cc: security-dev at openjdk.java.net
Sent: Mi., 20 Apr. 2016 21:01
Subject: JEP 288: Disable SHA-1 Certificates

New JEP Candidate: http://openjdk.java.net/jeps/288

- Mark


More information about the security-dev mailing list