On Wed, 27 Aug 2025 19:04:20 GMT, Artur Barashev <[email protected]> wrote:
> To avoid any user confusion, we should block signature scheme names to be > used with `CertificateSignature` algorithm constraints usage. For example, > `RSASSA-PSS` certificate signature algorithm corresponds to multiple > signature scheme names and blocking one of those signature scheme with > `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate > signature because other rsa_pss_* signature schemes still will be allowed. We > should direct users to use certificate signature algorithm with > `CertificateSignature` usage directive. For example: > > - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature" > - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage > CertificateSignature` This pull request has been closed without being integrated. ------------- PR: https://git.openjdk.org/jdk/pull/26970
