Code review request: 8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as defined in RFC3161
Weijun Wang
weijun.wang at oracle.com
Fri Apr 19 07:38:29 UTC 2013
Hi Bernd
Sorry for the late reply.
On 4/12/13 9:55 AM, Bernd Eckenfels wrote:
> Should the comment describe the expected oid format for the string (Numeric only?) and mention a defining reference (RFC3161)?
It will be described in jarsigner.html, the tool doc. Everything about
TSA is defined in RFC 3161, so I guess it's not necessary to mention it
again.
>
> I havent found some sample OIDs used here, which are common?
I don't know. In fact, I've tried out the 3 TSA servers listed in the
bug report without providing a policyID. Each returns a timestamp with a
different default policyID. So it seems at least now there is no
"well-known" policyIDs yet.
>
> BTW: why is it linked to the URL?
The generateSignedData method is used to create the whole signature
inside a signed jar file which might not have a timestamp at all. A
timestamp is only included when a TSA server is specified with the
tsaURI argument (equivalent to -tsa option of jarsigner). Without this
argument, it's just a plain signature, and of course the policyID is
useless. This is like when jarsigner does not have -tsa or -tsacert it's
also useless to have -tsapolicyid.
Thanks
Max
>
> Bernd
>
More information about the security-dev
mailing list