Sean Mullan sean.mullan at oracle.com
Tue Apr 21 19:43:03 UTC 2015

On 03/30/2015 11:57 PM, Wang Weijun wrote:
> Hi Sean
> Are you OK with this?
>> CertificateExtensions.java
>> ==========================
>> Since we don't use names as keys, CertificateExtensions is not a typical CertAttrSet now. Remove the implements clause.
> Almost every class in the x509 package is built around the CertAttrSet and they together weave an elegant net. It will be nice if CertificateExtensions can only use the hierarchical names as keys, but unfortunately, it has to use OID sometimes.
> My suggestion above breaks it from the CertAttrSet net. I won't dare to do this before jdk9 because people outside might use these classes, but now it's probably safe to do so.

Well, they may still be able to use them in JDK 9 if they go through 
some extra hoops.

I think that we should proceed with care, and avoid making too many 
changes to these internal APIs if we can. Although we don't want anyone 
using these classes, sun.security.x509 is one of the older internal 
packages, so there is somewhat of a higher risk we will break existing 
code. That said, it shouldn't be a rule, since there were never any 
guarantees to begin with.

So I would be slightly in favor of leaving it as is for now as long as 
it isn't causing any other issues. In JDK 10, we can be more aggressive 
about adapting these internal APIs as we see fit.


> Said that, CertificateExtensions is now an alien. Although its sibling CRLExtensions has always been one.
> Thanks
> Max

More information about the security-dev mailing list