On Tue, 2 May 2023 18:51:52 GMT, Andy Warner <d...@openjdk.org> wrote:
>> src/java.base/share/data/cacerts/globalsigneccrootcar4 line 3: >> >>> 1: Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 >>> 2: Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 >>> 3: Serial number: 203e57ef53f93fda50921b2a6 >> >> Why is this certificate changed? > > The original R4 did not have the digitalSignature keyUsage set. This root > signs OCSP responses, so it needed to be reissued to comply with section > 7.1.2.1 of the CA/B Forum baseline requirements. The only change between the > two versions aside from the serial number is the addition of the > digitalSignature key usage bit. Thanks for the explanation. Please file a different issue for this change, since it is outside the scope of this issue, which is to specifically add new roots that have been approved by the Java SE CA Root Program processes. Updated roots, even for small changes such as this, should be handled and approved using an equivalent process. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/13754#discussion_r1183027007
