This issue tracks investigating if it would be feasible to allow JAR files signed with an EC based cert on the module path. As things stand this is not currently allowed because signed JARs on the module path are verified during early startup when only code in java.base can execute. There are several tricky bootstrapping issues that arise when extending this to use security providers linked into the run-time image, mostly because the verification must be done before user code executes (and so before a custom security manager or custom application class loader is initialised). Furthermore, any verification must be restricted to use security providers that are linked into the run-time image. One possible approach is to skip verification until after the boot layer is created but before the steps in initPhase3 execute. This will require changes in several areas and prototyping will help us to determine if the approach is feasible or not.