> On Dec 8, 2017, at 10:45 PM, Volker Simonis <volker.simo...@gmail.com> wrote: > > OK, I've opened the RFR "JDK-8193255: Root Certificates should be > stored in text format and assembled at build time" for this issue.
In fact, I would recommend we directly release cacerts as a text file containing PEM certificates, for these reasons: - We are navigating away from JKS because it's not standard - Certificates in PKCS12 requires a password to read - I see no necessity for protecting cacerts, either for integrity or confidentiality, with a password - A publicly known password is worse than no password - Arbitrary comments (outside the ----BEGIN/END CERTIFICATE----- blocks) can be added as attributes Thanks Max
