Dont allow signer-provider or verification-provider to override the TSAVerifyOptions.
priteshbandi opened this issue · comments
We don't want signer-provider or verification-provider to override the TSAVerifyOptions because then user can override this value and start using non time-stamping cert(like ssl) for time-stamping.
Also as per rfc3161#section-2.3
The corresponding certificate MUST contain only one instance of the extended key usage field extension as defined in [RFC2459] Section 4.2.1.13 with KeyPurposeID having value: id-kp-timeStamping.
I would suggest to start with not exposing TSAVerifyOptions
and then later if need arises we can expose this option with sane defaults.
Originally posted by @priteshbandi in #15 (comment)
Applications can still override TSAVerifyOptions
but not the KeyUsages
in it.
@iamsamirzon should we take this into the release? I think this will need review in that case.