RFR: 8307134: Add GTS root CAs [v2]

Sean Mullan mullan at openjdk.org
Tue May 2 20:43:32 UTC 2023


On Tue, 2 May 2023 18:51:52 GMT, Andy Warner <duke at openjdk.org> wrote:

>> src/java.base/share/data/cacerts/globalsigneccrootcar4 line 3:
>> 
>>> 1: Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
>>> 2: Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
>>> 3: Serial number: 203e57ef53f93fda50921b2a6
>> 
>> Why is this certificate changed?
>
> The original R4 did not have the digitalSignature keyUsage set. This root signs OCSP responses, so it needed to be reissued to comply with section 7.1.2.1 of the CA/B Forum baseline requirements. The only change between the two versions aside from the serial number is the addition of the digitalSignature key usage bit.

Thanks for the explanation. Please file a different issue for this change, since it is outside the scope of this issue, which is to specifically add new roots that have been approved by the Java SE CA Root Program processes. Updated roots, even for small changes such as this, should be handled and approved using an equivalent process.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13754#discussion_r1183027007



More information about the security-dev mailing list