Nothing in RFC-3820 states that an X.509 proxy certificate cannot assert
KeyUsage; however, such certificates are currently rejected by JGlobus.
This discrepency is likely due to code developed against a draft version
of the RFC and not subsequently updated, but it is certainly preventing
the adoption of RFC proxies as some CAs assert NON_REPUDIATION as a
KeyUsage.
Modification:
Update proxy certificate validation so that certificates that assert
NON_REPUDIATION or KEY_CERTSIGN are accepted.
Result:
RFC-3820 compliant proxies that assert KeyUsage should now be accepted.
Closes jglobus/JGlobus#160
This patch is part of the latest OSG/WLCG package build.
Motivation:
Nothing in RFC-3820 states that an X.509 proxy certificate cannot assert KeyUsage; however, such certificates are currently rejected by JGlobus. This discrepency is likely due to code developed against a draft version of the RFC and not subsequently updated, but it is certainly preventing the adoption of RFC proxies as some CAs assert NON_REPUDIATION as a KeyUsage.
Modification:
Update proxy certificate validation so that certificates that assert NON_REPUDIATION or KEY_CERTSIGN are accepted.
Result:
RFC-3820 compliant proxies that assert KeyUsage should now be accepted.
Closes jglobus/JGlobus#160
This patch is part of the latest OSG/WLCG package build.