-
Enhancement
-
Resolution: Fixed
-
P3
-
11, 12
-
b17
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8217160 | 11.0.4-oracle | Rajan Halade | P3 | Resolved | Fixed | b01 |
JDK-8220438 | 11.0.4 | Sean Mullan | P3 | Resolved | Fixed | b01 |
JDK-8223848 | openjdk8u222 | Rajan Halade | P3 | Resolved | Fixed | b03 |
The GTE CyberTrust Global Root expires on Aug. 13, 2018. It also uses a 1024-bit key and MD5 signature. There is no replacement for this root. The cacerts keystore alias name for this root is "gtecybertrustglobalca [jdk]".
Certificates that chain back to this root have been issued for TLS and code signing. With code signing certificates, the signed code may have also been timestamped, allowing that code to continue to be valid even after the code signing certificate (or any CA in its chain, including the root) expires. Thus, if we removed this root, there is a risk that we would break existing signed code that has been timestamped with certificates chaining back to this root.
However, this is primarily a risk for signed applets and Web Start apps. Applets are deprecated as of JDK 9 and Oracle does not include Web Start in JDK 11. I am not aware of other use cases for timestamping Java code. Therefore, I think it is safe and of minimal risk to remove this root going forward.
Certificates that chain back to this root have been issued for TLS and code signing. With code signing certificates, the signed code may have also been timestamped, allowing that code to continue to be valid even after the code signing certificate (or any CA in its chain, including the root) expires. Thus, if we removed this root, there is a risk that we would break existing signed code that has been timestamped with certificates chaining back to this root.
However, this is primarily a risk for signed applets and Web Start apps. Applets are deprecated as of JDK 9 and Oracle does not include Web Start in JDK 11. I am not aware of other use cases for timestamping Java code. Therefore, I think it is safe and of minimal risk to remove this root going forward.
- backported by
-
JDK-8217160 Remove GTE CyberTrust Global Root
- Resolved
-
JDK-8220438 Remove GTE CyberTrust Global Root
- Resolved
-
JDK-8223848 Remove GTE CyberTrust Global Root
- Resolved
- relates to
-
JDK-8198240 Allow cacerts test to pass when GTECyberTrust root expires
- Resolved
-
JDK-8194693 jdk considers one of its own root certificates insufficiently secure
- Closed
-
JDK-8243559 Remove root certificates with 1024-bit keys
- Resolved
(1 relates to)