Hi, JDK-8227024 [1] and the associated CSR JDK-8227395 [2] suggests removing the deprecated classes in javax.security.cert.
The CSR was withdrawn last year following ecosystem compatibility concerns: Given the compatibility risks/impacts with existing providers and JSSE > implementations, we've decided to withdraw this CSR for the time being. I reached out to the BouncyCastle project [3] and they are basically OK with the OpenJDK project to go ahead and remove the APIs: It's a just cause, so go ahead and deal with it, I think all we need is > someone to let us know when it's done and point us at a JVM so we can > start organising the new jar. I have also contributed the following PRs to make Tomcat, Netty, Vert.x and Undertow aware of the plans of removal and also to provide the actual code changes: https://github.com/apache/tomcat/pull/608 https://github.com/netty/netty/pull/13326 https://github.com/eclipse-vertx/vert.x/pull/4665 https://github.com/undertow-io/undertow/pull/1468 Implementing these PRs was mostly straightforward, indicating that the impact in these projects would be relatively low if these APIs would be removed today. I think we are in a bit of a knotty situation where the ecosystem is now basically just waiting for OpenJDK to actually remove these APIs. Based on my recent interaction with these projects I'm hopeful that the ecosystem impact is lower than what has been assessed previously. I believe we should go ahead with this removal, sooner rather than later. Any thoughts? Thanks, Eirik. [1] https://bugs.openjdk.org/browse/JDK-8227024 [2] https://bugs.openjdk.org/browse/JDK-8227395 [3] https://marc.info/?l=bouncycastle-crypto-dev&m=168154811006840&w=2
