Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6869739

Cannot check revocation of single certificate without validating the entire chain

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b02
    • CPU:
      generic, x86
    • OS:
      generic, linux, windows_xp, windows_7
    • Verification:
      Verified

      Backports

        Description

        Currently, it is not possible to check if a certificate is revoked without validating the entire certificate chain via the CertPath APIs. This is not acceptable especially if you have already validated the certificate chain, as many of the certificate chain validation checks (signature, issuer-name checking) are redundant and only need to be checked once. Additionally, you may only want to check if the end-entity certificate has been revoked, and not all the other certificates in the chain.

        We need to implement a revocation checking mechanism that can check if a single certificate has been revoked. Initially we will focus on OCSP and add CRLs later.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                mullan Sean Mullan
                Reporter:
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: