On Fri, 2 Apr 2021 01:56:15 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Only a few minor comments. Approved. > > Maybe we don't need to resolve it in this code change. If we look carefully > at RFC 8410 Sections 10.1 and 10.2, it shows the X25519 certificate in 10.2 > is using the signer's SKID in 10.1 as its own SKID and it has no AKID. > Currently, keytool will generate a new SKID and use signer's SKID as AKID. If > we really want to generate a certificate that's identical to the one in the > RFC, we'll need a way to tell keytool to omit the AKID (something like "-ext > akid=none"). A simple fix you can do this time although unrelated to the issue. `Main::createV3Extensions` shows a `@param akey` in spec but the actual argument name is `pkey`. ------------- PR: https://git.openjdk.java.net/jdk/pull/3281
