[RFR] 8174849: Change SHA1 certpath restrictions

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[RFR] 8174849: Change SHA1 certpath restrictions

Anthony Scarpino
Hi,

I need a quick review on a simple certpath config change.

http://cr.openjdk.java.net/~ascarpino/8174849/webrev/

thanks

Tony
Reply | Threaded
Open this post in threaded view
|

Re: [RFR] 8174849: Change SHA1 certpath restrictions

Sean Mullan
Looks fine. You'll need to add a noreg label to the bug though.

--Sean

On 2/13/17 4:47 PM, Anthony Scarpino wrote:
> Hi,
>
> I need a quick review on a simple certpath config change.
>
> http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
>
> thanks
>
> Tony
Reply | Threaded
Open this post in threaded view
|

Re: [RFR] 8174849: Change SHA1 certpath restrictions

Bernd Eckenfels-4
In reply to this post by Anthony Scarpino
Hello,

The bug does not explain why. I would understand to completely deny SHA1 (I.e. Unconditionally), but allowing it seems strange, especially without a justification.





On Mon, Feb 13, 2017 at 10:57 PM +0100, "Anthony Scarpino" <[hidden email]> wrote:

Hi,

I need a quick review on a simple certpath config change.

http://cr.openjdk.java.net/~ascarpino/8174849/webrev/

thanks

Tony
Reply | Threaded
Open this post in threaded view
|

Re: [RFR] 8174849: Change SHA1 certpath restrictions

Sean Mullan
On 2/14/17 2:33 AM, Bernd Eckenfels wrote:
> Hello,
>
> The bug does not explain why. I would understand to completely deny SHA1
> (I.e. Unconditionally), but allowing it seems strange, especially
> without a justification.

The initial disabling of SHA-1 certificates in JDK 9 is too broad and
affects all certificates. The compatibility risk at this time is too
high to make that change. We are working on an updated plan which will
focus initially on TLS Server certificates. More details will be
provided later.

Thanks,
Sean

>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
>
>
>
>
> On Mon, Feb 13, 2017 at 10:57 PM +0100, "Anthony Scarpino"
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi,
>
>     I need a quick review on a simple certpath config change.
>
>     http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
>
>     thanks
>
>     Tony
>
Reply | Threaded
Open this post in threaded view
|

Re: [RFR] 8174849: Change SHA1 certpath restrictions

Jim Manico
The attacks against SHA-1 certificates are very real. SHA1 signatures
are spoofable at a relatively low cost and that cost is only getting
cheaper. Most other mature clients (browsers, etc) have an extremely
aggressive rejection of SHA1 signatures.

Why is Java9 rolling this back? What is breaking?

Aloha, Jim Manico



On 2/14/17 3:07 AM, Sean Mullan wrote:

> On 2/14/17 2:33 AM, Bernd Eckenfels wrote:
>> Hello,
>>
>> The bug does not explain why. I would understand to completely deny SHA1
>> (I.e. Unconditionally), but allowing it seems strange, especially
>> without a justification.
>
> The initial disabling of SHA-1 certificates in JDK 9 is too broad and
> affects all certificates. The compatibility risk at this time is too
> high to make that change. We are working on an updated plan which will
> focus initially on TLS Server certificates. More details will be
> provided later.
>
> Thanks,
> Sean
>
>>
>> Gruss
>> Bernd
>> --
>> http://bernd.eckenfels.net
>>
>>
>>
>>
>> On Mon, Feb 13, 2017 at 10:57 PM +0100, "Anthony Scarpino"
>> <[hidden email] <mailto:[hidden email]>>
>> wrote:
>>
>>     Hi,
>>
>>     I need a quick review on a simple certpath config change.
>>
>>     http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
>>
>>     thanks
>>
>>     Tony
>>