RFR: 8307134: Add GTS root CAs
Andy Warner
duke at openjdk.org
Tue May 2 19:02:22 UTC 2023
On Tue, 2 May 2023 18:42:36 GMT, Rajan Halade <rhalade at openjdk.org> wrote:
> >
>
> I have infra tests for interop implemented. @jianglizhou, please check https://github.com/openjdk/jdk/compare/master...rhalade:jdk:googletrust-certify?expand=1
Aside from the bug number @jianglizhou raised, the interop tests look good to me.
> src/java.base/share/data/cacerts/globalsigneccrootcar4 line 3:
>
>> 1: Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
>> 2: Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
>> 3: Serial number: 203e57ef53f93fda50921b2a6
>
> Why is this certificate changed?
The original R4 did not have the digitalSignature keyUsage set. This root signs OCSP responses, so it needed to be reissued to comply with section 7.1.2.1 of the CA/B Forum baseline requirements. The only change between the two versions aside from the serial number is the addition of the digitalSignature key usage bit.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/13754#issuecomment-1531995277
PR Review Comment: https://git.openjdk.org/jdk/pull/13754#discussion_r1182931200
More information about the security-dev
mailing list