I wonder if "weak key" should be replaced by "weak key length" or "short key". It might otherwise imply key quality tests which are not carried out.
Gruss Bernd -- http://bernd.eckenfels.net ________________________________ From: security-dev <security-dev-boun...@openjdk.java.net> on behalf of Weijun Wang <weijun.w...@oracle.com> Sent: Friday, March 24, 2017 2:12:01 AM To: Security Dev OpenJDK Subject: RFR: 3 security-libs release notes on keytool/krb5/etc Hi All Please take a review on 3 release notes. The content itself is pasted as quotation below. https://bugs.openjdk.java.net/browse/JDK-8176087 keytool now prints warnings when reading or generating cert/cert req using weak algorithms > In all keytool functions, if the certificate/certificate request/CRL > that is working on (whether it be the input, the output, or an > existing object) is using a weak algorithm or key, a warning will be > printed out. > > Precisely, an algorithm or a key is weak if it matches the value of > the jdk.certpath.disabledAlgorithms security property defined in > conf/security/java.security. https://bugs.openjdk.java.net/browse/JDK-8174143 Deprecate security APIs that have been superseded > The classes and interfaces in the `java.security.acl` and > `javax.security.cert` packages have been superseded by replacements > for a long time and are deprecated in JDK 9. Two methods > `javax.net.ssl.HandshakeCompletedEvent.getPeerCertificateChain()` and > `javax.net.ssl.SSLSession.getPeerCertificateChain()` are also > deprecated since they return the > `javax.security.cert.X509Certificate` type. https://bugs.openjdk.java.net/browse/JDK-8168635 rcache interop with krb5-1.15 > The hash algorithm used in the Kerberos 5 replay cache file (rcache) > is updated from MD5 to SHA256 with this change. This is also the > algorithm used by MIT krb5-1.15. This change is interoperable with > earlier releases of MIT krb5, which means Kerberos 5 acceptors from > JDK 9 and MIT krb5-1.14 can share the same rcache file. > > A new system property named jdk.krb5.rcache.useMD5 is introduced. If > the system property is set to "true", JDK 9 will still use the MD5 > hash algorithm in rcache. This is useful when both of the following > conditions are true: 1) the system has a very coarse clock and has to > depend on hash values in replay attack detection, and 2) > interoperability with earlier versions of JDK or MIT krb5 for rcache > files is required. The default value of this system property is > "false". Thanks Max
