On Tue, 16 Nov 2021 21:00:12 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> There is no need to check for the KeyUsage extension when validating a TSA >> certificate. >> >> A test is modified where a TSA cert has a KeyUsage but without the >> DigitalSignature bit. > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > clarify RFC requirement Hi Michael. Thanks for the comment. That was also our previous understanding but we are seeing timestamp returning by sigstore.dev (see the `rekor timestamp` command at https://github.com/sigstore/rekor) whose cert does not have the DigitialSignature bit set. -----BEGIN CERTIFICATE----- MIIBvzCCAWWgAwIBAgICBnowCgYIKoZIzj0EAwIwHzEdMBsGA1UEChMUaHR0cHM6 Ly9zaWdzdG9yZS5kZXYwHhcNMjExMTAyMTgxODI5WhcNMzExMTAyMTgxODI5WjAi MSAwHgYDVQQKExdSZWtvciBUaW1lc3RhbXBpbmcgQ2VydDBZMBMGByqGSM49AgEG CCqGSM49AwEHA0IABJIsOXOZUdgXhnNmvue9AAsxSYWdp+1HvEQQMYuZUsU0Ylf2 bKqIp3zVrc0a58pGJZvwGjyOHgY5lRevPP1huuOjgY0wgYowDgYDVR0PAQH/BAQD AgZAMAwGA1UdEwEB/wQCMAAwDgYDVR0OBAcEBQECAwQGMB8GA1UdIwQYMBaAFIiV AzEbE/rHgP3CA3x7tofqTtIcMCEGA1UdEQQaMBiHBH8AAAGHEAAAAAAAAAAAAAAA AAAAAAEwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwCgYIKoZIzj0EAwIDSAAwRQIg XdDBMPMTrtXiHmhFJOgQW8DDz/IaHkNZ+hXNL19dmuICIQCw3lE5+52F41kpY3B/ sJaPjuKmeIuEyYZDnMnlhHSusg== -----END CERTIFICATE----- ------------- PR: https://git.openjdk.java.net/jdk/pull/6416