RC 11

Improvements/Changes

• LG-873 Add x509_issuer to piv/cac response data for OIDC
• Add updated certs for Treasury and State (LG-3513) (#164)
• Update .gitignore to allow .pem files (#166)
• Remove reek (#165)
• Certificate Chain Service (#167)

RC 9

Features

• None

Bugs and Enhancements

• Update newrelic to use gov endpoint (#156)

PIV/CAC Issuing Certificates

• LG-3043: map bridge certs (#154)

RC 8

Features

None

Bugs and Enhancements

• Expand bundled certs into repo #144
• Bump websocket-extensions from 0.1.4 to 0.1.5 #149
• Bump puma from 3.12.4 to 3.12.6 #150

PIV/CAC Issuing Certificates

• Add DOD missing certs #151

RC 7

Features

• Support OID Chaining #65

Bugs and Enhancements

• Restore caching of OCSP revocations #63

PIV/CAC Issuing Certificates

None

RC 6

Features

• Validate issuing certs only on-demand rather than at startup
• Cache OCSP responses for a short time

RC 4

Features

• OCSP support #25, #50

Bugs and Enhancements

• Support proxies in deployed environments #46, #47
• Update gems to avoid potential security issues #44, #48

PIV/CAC Issuing Certificates

• Remove revoked RRB certificate
• Add additional State certificates

RC 3

Features

• Add more policy OIDs
• Trust Treasury CA Root

RC 2

Features

• Check for policy OIDs in PIV/CAC public certs.

New CA Certs

• /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-49
• /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-51
• /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-52

RC 1

Features:

• More signing certs.
• Logging of unverifiable certs to an S3 bucket.
• Authenticate token decryption requests.

Bugs:

• Gracefully handle unparsable http referrers.