Hi Bernd Sorry for the late reply.
On 4/12/13 9:55 AM, Bernd Eckenfels wrote:
Should the comment describe the expected oid format for the string (Numeric only?) and mention a defining reference (RFC3161)?
It will be described in jarsigner.html, the tool doc. Everything about TSA is defined in RFC 3161, so I guess it's not necessary to mention it again.
I havent found some sample OIDs used here, which are common?
I don't know. In fact, I've tried out the 3 TSA servers listed in the bug report without providing a policyID. Each returns a timestamp with a different default policyID. So it seems at least now there is no "well-known" policyIDs yet.
BTW: why is it linked to the URL?
The generateSignedData method is used to create the whole signature inside a signed jar file which might not have a timestamp at all. A timestamp is only included when a TSA server is specified with the tsaURI argument (equivalent to -tsa option of jarsigner). Without this argument, it's just a plain signature, and of course the policyID is useless. This is like when jarsigner does not have -tsa or -tsacert it's also useless to have -tsapolicyid.
Thanks Max
Bernd
