Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8195793

Remove GTE CyberTrust Global Root

    XMLWordPrintable

    Details

      Backports

        Description

        The GTE CyberTrust Global Root expires on Aug. 13, 2018. It also uses a 1024-bit key and MD5 signature. There is no replacement for this root. The cacerts keystore alias name for this root is "gtecybertrustglobalca [jdk]".

        Certificates that chain back to this root have been issued for TLS and code signing. With code signing certificates, the signed code may have also been timestamped, allowing that code to continue to be valid even after the code signing certificate (or any CA in its chain, including the root) expires. Thus, if we removed this root, there is a risk that we would break existing signed code that has been timestamped with certificates chaining back to this root.

        However, this is primarily a risk for signed applets and Web Start apps. Applets are deprecated as of JDK 9 and Oracle does not include Web Start in JDK 11. I am not aware of other use cases for timestamping Java code. Therefore, I think it is safe and of minimal risk to remove this root going forward.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  mullan Sean Mullan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: