> On Jun 1, 2019, at 2:41 AM, Sean Mullan <sean.mul...@oracle.com> wrote:
>
> Rename it to "Migrate cacerts keystore to password-less PKCS12 format".
>
> In the Problem section, you may also want to add something like:
>
> - the certificates are public
> - The integrity protection is not really necessary since the cacerts file is
> part of the installed JDK, which should be installed using a secure mechanism
> and protected appropriately on-disk from modification.
Added.
>
> In the Solution section, you should probably mention that if the
> "keystore.type.compat" security property is set to false, then the risk of
> breakage would be high, but we do not believe that this property is changed
> very often.
I added it into the "Compatibility Risk Description" field but kept the level
minimal.
Thanks,
Max
>
> --Sean
>
> On 5/30/19 11:32 PM, Weijun Wang wrote:
>> Please review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8224891
>> (Oh, I hate the CSR having a different bug id.)
>> Basically, with this change, the cacerts file can be loaded with
>> KeyStore.getInstance("JKS" or "PKCS12").load(stream, null or anything) or
>> KeyStore.getInstance(new File("cacerts"), null or anything)
>> so hopefully all your old code should still work.
>> I've also opened another RFE [1] that intends to find a different way to tag
>> jdkCA entries in cacerts other than appending "[jdk]" to the alias.
>> Thanks,
>> Max
>> [1] https://bugs.openjdk.java.net/browse/JDK-8225099
