Ping again.
Also, must we resolve this one before ZBB?
--Max
On 02/09/2017 10:26 AM, Weijun Wang wrote:
An update webrev is at
http://cr.openjdk.java.net/~weijun/8171319/webrev.01/
The major change is that every risk warning has a owner now, i.e.
instead of just saying "MD5withRSA is
The attacks against SHA-1 certificates are very real. SHA1 signatures
are spoofable at a relatively low cost and that cost is only getting
cheaper. Most other mature clients (browsers, etc) have an extremely
aggressive rejection of SHA1 signatures.
Why is Java9 rolling this back? What is
Hi Max,
I agree this change is necessary so that we can resolve this tck-red
issue before ZBB. However, since the TCK Policy provider implementation
is not a "typical" implementation in the sense that it is denying
permissions instead of granting permissions, I think we should continue
to
On 2/14/17 2:33 AM, Bernd Eckenfels wrote:
Hello,
The bug does not explain why. I would understand to completely deny SHA1
(I.e. Unconditionally), but allowing it seems strange, especially
without a justification.
The initial disabling of SHA-1 certificates in JDK 9 is too broad and
affects
Looks good.
--Sean
On 2/14/17 5:55 AM, Wang Weijun wrote:
Please review this doc bug
diff --git
a/src/java.base/share/classes/java/security/DrbgParameters.java
b/src/java.base/share/classes/java/security/DrbgParameters.java
--- a/src/java.base/share/classes/java/security/DrbgParameters.java
Please review this doc bug
diff --git
a/src/java.base/share/classes/java/security/DrbgParameters.java
b/src/java.base/share/classes/java/security/DrbgParameters.java
--- a/src/java.base/share/classes/java/security/DrbgParameters.java
+++