A new constraint named 'usage' has been added to the 'jdk.certpath.disabledAlgorithms' security property, that when set, restricts the algorithm if it is used in a certificate chain for the specified usage(s). Three usages are initially supported: 'TLSServer' for restricting authentication of TLS server certificate chains, 'TLSClient' for restricting authentication of TLS client certificate chains, and 'SignedJAR' for restricting certificate chains used with signed JARs. This should be used when disabling an algorithm for all usages is not practical. The usage type follows the keyword and more than one usage type can be specified with a whitespace delimiter.  For example, to disable SHA1 for TLS server and client certificate chains, add the following to the property:  "SHA1 usage TLSServer TLSClient"

The 'denyAfter' constraint has been added to the 'jdk.jar.disabledAlgorithms' security property.  When set, it restricts the specified algorithm if it is used in a signed JAR after the specified date, as follows:

a. if the JAR is not timestamped, it will be restricted (treated as unsigned) after the specified date

b. if the JAR is timestamped, it will not be restricted if it is timestamped before the specified date. 

For example, to restrict usage of SHA1 in jar files signed after January 1, 2018, add the following to the property:  "SHA1 denyAfter 2018-01-01".