Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:
      None

      Description

      This dev task involves implementing the "denyAfter" constraint (JDK-8154005) and items #2, #3, and #5 in the "Disable SHA-1 Certificates" JEP: http://openjdk.java.net/jeps/8149555

      It also includes getting CCC approval for the new constraint.


      Problem:
      Continuing the CertPath validations work started in 8140422, when algorithms are being phased out, a standards body sets a end date the industry to stop using it. However, not everyone may be able to comply by that end date, an company may want to set it's own internal dates, or the date maybe moved by the standards body. Having flexibility for this end date is important.

      Solution:
      Establishing a date constraint for when a DisabledAlgorithm constraint denies access allows flexibility to everyone. The constraint can be added as a condition to any DisabledAlgorithm constraint. The constraint is called "denyAfter". It will be followed by a date in the format of YYYYMMDD. The date will represent the machine's local time when the constraint will start being denied. For example: SHA1 jdkCA & denyAfter 20170101

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ascarpino Anthony Scarpino
                Reporter:
                mullan Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: