-
Bug
-
Resolution: Fixed
-
P4
-
None
-
None
-
b25
In sun.security.validator.EndEntityChecker::checkTSAServer, we needs KU_SIGNATURE in KeyUsage and OID_EKU_TIME_STAMPING in ExtendedKeyUsage, but https://datatracker.ietf.org/doc/html/rfc3161#section-2.3 only has requirement on EKU.
In reality, sigstore’s timestamp server does not have KU_SIGNATURE. Its KeyUsage is a single nonRepudiation.
In reality, sigstore’s timestamp server does not have KU_SIGNATURE. Its KeyUsage is a single nonRepudiation.