[Cscwg-public] Timestamp Certificate and SubCA updates

Martijn Katerbarg martijn.katerbarg at sectigo.com
Wed Mar 6 12:07:45 UTC 2024 

All, 

As discussed last week, I’d send out the draft language for this ballot once more before starting the discussion period. The latest version can be found in https://github.com/cabforum/code-signing/pull/34 <https://github.com/cabforum/code-signing/pull/34> 

I’ve made changes this morning to add 3 effective dates, these are: 


* For the removal of private keys associated with timestamp certificates, effective June 1st, 2024, CAs will need to properly log the removal of said key. 
* While I expect CAs to already properly log this for audit purposes even now, there may be exceptions for when this has not been done, for example a private key or timestamp certificate that was signed maybe 20 years ago. This language is added to avoid any confusion on from what point there needs to be an audit trail 
* Effective April 15, 2025, private keys associated with SubCAs containing the “Time Stamping” EKU will need to be placed in offline HSMs. 
* I believe a roughly one year effective date is appropriate here, since CAs may need to move keys from one HSM to another. 
* For private keys associated with timestamp certificates that were issued for greater than 15 months, CAs will need to remove the private keys 18 months after certificate issuance, starting April 15, 2025. 
* Likewise, I feel like anything involving HSM process changes, should have a longer effective date, and it makes sense to align this with the effective date above. 


I’ll start a ballot on this early next week, unless there is concern with the above. 

Regards,

Martijn 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240306/23c17364/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240306/23c17364/attachment-0001.bin>

More information about the Cscwg-public mailing list