Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8195793

Remove GTE CyberTrust Global Root

XMLWordPrintable

        The GTE CyberTrust Global Root expires on Aug. 13, 2018. It also uses a 1024-bit key and MD5 signature. There is no replacement for this root. The cacerts keystore alias name for this root is "gtecybertrustglobalca [jdk]".

        Certificates that chain back to this root have been issued for TLS and code signing. With code signing certificates, the signed code may have also been timestamped, allowing that code to continue to be valid even after the code signing certificate (or any CA in its chain, including the root) expires. Thus, if we removed this root, there is a risk that we would break existing signed code that has been timestamped with certificates chaining back to this root.

        However, this is primarily a risk for signed applets and Web Start apps. Applets are deprecated as of JDK 9 and Oracle does not include Web Start in JDK 11. I am not aware of other use cases for timestamping Java code. Therefore, I think it is safe and of minimal risk to remove this root going forward.

              mullan Sean Mullan
              mullan Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: