-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P3
-
Affects Version/s: 6
-
Component/s: deploy
-
b27
-
sparc
-
solaris_9
For object siging certificate, it is strongly recommended that all CA certificates contain the basicConstraints extension, as this is the standard way to identify a CA certificate. For those CAs that wich to limit the applications being certified for, the netscape-cert-type extension may be used. Here is a case:
only netscape-cert-type present: (no basicConstraints)
The cert is a CA if at least one of CA bits is set (bits 5,6, and 7).
Because we do consider the above case in previous JRE rlease, so even we transfer our code to user CertPath API in Mustang, which is PKIX compliance and doesn't include the above case. We will add the support to above case to avoid regression.
###@###.### 2005-2-24 19:18:52 GMT
only netscape-cert-type present: (no basicConstraints)
The cert is a CA if at least one of CA bits is set (bits 5,6, and 7).
Because we do consider the above case in previous JRE rlease, so even we transfer our code to user CertPath API in Mustang, which is PKIX compliance and doesn't include the above case. We will add the support to above case to avoid regression.
###@###.### 2005-2-24 19:18:52 GMT
- relates to
-
JDK-6233935 Add method to sun.security.validator.PKIXValidator to return length of validated certificate chain
-
- Resolved
-