Closed GoogleCodeExporter closed 9 years ago
Original comment by gm2...@cerner.com
on 3 Aug 2011 at 1:23
.Net supports CRL upon validating the certificate path. Using OCSP may be a
configuration option of the underlying PKI framework.
Java supports the same type of checking by default in the certificate path
validation APIs. JCE providers support CRLs by default and OCSP with a similar
change to the JVM security configuration. Today the Java RI handles revocation
inside the certificate resolver using CRLs only. The implementation will
change to handling it at cert path validation time and delegate CRL and OCSP
checking to the underlying JCE provider.
Original comment by gm2...@cerner.com
on 3 Aug 2011 at 5:59
Changing the implementation guide for this enhancement.
The Java JCE implementation fails revocation checking if a certificate does not
define CRL distribution points. Although it is considered best practice for
certificates to use CRL or OCSP extensions, the JCE implementation is
incompatible with existing certificates without these extensions.
The RI will take a more conservative approach and allow the use of certificates
without the extensions. This means the Java RI will implement an alternative
approach to CRL and OCSP revocation without using the default JCE
implementation.
Original comment by gm2...@cerner.com
on 18 Oct 2011 at 1:48
Original comment by gm2...@cerner.com
on 18 Oct 2011 at 4:49
Released in agent version 1.2.
Original comment by gm2...@cerner.com
on 23 Jan 2012 at 4:43
Original issue reported on code.google.com by
abarea...@gmail.com
on 3 Aug 2011 at 1:22