Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8130026

When using browser certificate store, JWS should filter out expired certs

XMLWordPrintable

    • b107
    • x86
    • windows_xp

      A DESCRIPTION OF THE REQUEST :
      On Windows platforms, it is frequently necessary to keep expired PKI certificates in the browser's keystone (for example, MS Outlook may need them to open old encrypted emails). When JWS needs to select a certificate from the browser keystore for client identification, these expired certs are presented in the list and the user must view the details of each certificate one by one in order to find the correct one (even if there is only one valid certificate!). Worse yet, the list is not presented in the same order each time, so you can't even rely on the position in the list. This can make the JWS user experience very frustrating.

      JUSTIFICATION :
      Expired certs can't be used for client identification anyway, so by default they should be filtered from the list. An option to maintain the current behavior could be added just in case someone needed it.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      If only one valid, usable, certificate exists then JWS should select it automatically.
      ACTUAL -
      JWS presents a list containing invalid (expired) certificates. The expired certificates might need to remain in the browser keystore in order to read mail in MS Outlook (or other applications) that were encrypted using those certificates, so removing them is not always an option.

      ---------- BEGIN SOURCE ----------
      This would be very difficult to provide, since it relies on having an expired certificate.
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      There is no real work-around, it's just a severe nuisance. I've tried importing the PKI certificate into the java keystore, but then the user is forced to provide the password to the java keystore each time they run the JWS application (at least for apps that are set to check for updates). If the java keystore were unlocked automatically then this could potentially be an acceptable workaround, but simply filtering expired certs would seem to be much easier and provide a more cross-platform solution.

            herrick Andy Herrick (Inactive)
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: