On Fri, 7 Mar 2025 16:31:33 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> Currently when a signature scheme constraint is specified with >> "jdk.tls.disabledAlgorithms" property we don't differentiate between >> signatures used to sign a TLS handshake exchange and the signatures used in >> TLS certificates: >> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3 > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Move SSLScope class description below the package src/java.base/share/conf/security/java.security line 747: > 745: # > 746: # Handshake restricts the use of the algorithm in TLS handshake > signatures. > 747: # Certificate restricts the use of the algorithm in certificate > signatures. I think we should repeat this sentence from the "UsageConstraint" definition in the `jdk.certpath.disabledAlgorithms` property: "The usage type follows the keyword and more than one usage type can be specified with a whitespace delimiter." (This will also help address Joe's comment on the CSR). ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r1985540008
