-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
25
-
None
-
Cause Known
To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:
- To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
- To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`
- To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
- To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`
- csr for
-
JDK-8366263 Block signature scheme names to be used with CertificateSignature algorithm constraints usage
-
- Draft
-
- links to
-
Review(master) openjdk/jdk/26970