Integrated: 8277246: Check for NonRepudiation as well when validating a TSA certificate
Mike StJohns
mstjohns at comcast.net
Mon Nov 22 15:47:21 UTC 2021
You’ll be amused to find out that the code that generated the Rekor TS cert has been changed to use digitalSignature as its KU. https://github.com/sigstore/rekor/pull/504/files
I think the change you made is correct, but you probably won’t see a nonRepudiation bit for a while again. Mike
Sent from my iPad
> On Nov 17, 2021, at 15:09, Weijun Wang <weijun at openjdk.java.net> wrote:
>
> On Tue, 16 Nov 2021 19:36:11 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>
>> There is no need to check for the KeyUsage extension when validating a TSA certificate.
>>
>> A test is modified where a TSA cert has a KeyUsage but without the DigitalSignature bit.
>
> This pull request has now been integrated.
>
> Changeset: 262d0700
> Author: Weijun Wang <weijun at openjdk.org>
> URL: https://git.openjdk.java.net/jdk/commit/262d07001babcbe7f9acd2053aa3b7bac304cf85
> Stats: 6 lines in 2 files changed: 3 ins; 0 del; 3 mod
>
> 8277246: Check for NonRepudiation as well when validating a TSA certificate
>
> Reviewed-by: xuelei, mullan
>
> -------------
>
> PR: https://git.openjdk.java.net/jdk/pull/6416
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20211122/61dc5362/attachment.htm>
More information about the security-dev
mailing list