-Bcc jdk9-dev
This question is more appropriate for security-dev, so I am copying that
list for further discussion.
--Sean
On 06/09/2015 02:21 AM, Vyronas Tsingaras wrote:
Hi all,
I work for the Hellenic Academic and Research Institutions Certification
Authority (https://www.harica.gr), a Root Certification Authority included in
the NSS, Microsoft and Apple certificate stores. Our RootCA certificate uses
the name constraints extension with a small error, instead of just gr, org and
edu in the permitted subtrees it has .gr, .edu and .org. As a result
certificates issued under our CA fail to verify with Java. We had the same
issue with OpenSSL and gnuTLS but fortunately they modified their
implementation to accommodate for our situation. I kindly ask if this is
something that could also be done with OpenJDK, and if so what would be the
best way to implement that. Currently we have a patch against the 'constrains'
method of 'DNSName' that just ignores the leading dot in name constraints.
Kind Regards,
Vyronas Tsingaras,
Aristotle University of Thessaloniki, IT Center
