Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8216280

Allow later Symantec Policy distrust date for two Apple SubCAs

    Details

    • Subcomponent:
    • Resolved In Build:
      b29
    • Verification:
      Verified

      Backports

        Description

        The JDK will stop trusting TLS Server certificates by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec. Any TLS Server certificate issued after April 16, 2019 will be restricted. This change has already been implemented and is in JDK 12 (see JDK-8207258).

        Apple has requested more time to transition their users off of the legacy Symantec Root CAs that will be distrusted for TLS Server certificates. They are working with DigiCert on a transition plan and have requested a later distrust date: December 31, 2019. This later distrust date would only apply to TLS Server certificates issued from two Apple subordinate CAs: "Apple IST CA 2 - G1" and "Apple IST CA 8 - G1". Any certificate issued after that date will be distrusted. Other vendors such as Mozilla have granted similar exemptions to these Apple subCAs.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mullan Sean Mullan
                  Reporter:
                  mullan Sean Mullan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: