[security-dev 00886]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate (original) (raw)

Xuelei Fan Xuelei.Fan at Sun.COM
Tue Jun 9 04:01:00 UTC 2009

Sean Mullan wrote:

Xuelei Fan wrote:

Many, many Verisign root certs are V1, and the intermediate cert are V3. I believe that is because many Verisign roots were issued in the late 1990's and perhaps v3 (published in 1996) had not gained enough support in the market yet. I am wondering if you know if there are legitimate use cases of CAs still issuing v1/v2 root certificates? I'm not sure. Most of the new CAs are compliant with the V3 specifications. If not, I'm not sure it is really worth fixing this. Instead I would recommend fixing the regression test. I have never found any root CA that need to issue a root self-issued certificate for key rollover or any other reason. It does not sounds like a hava-to-fix bug. I have a look at my Firefox certificate store, there are a few V1 certificate issued around 1998 or 1999, and validate until 2028/2036, I think it is not bad to support key renew in case of one day the feature is needed.

The updates has putback into JDK7/TL workspace, http://hg.openjdk.java.net/jdk7/tl/jdk/rev/045743e0eb2d.

Thanks, Andrew

More information about the security-dev mailing list