<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">The CSBRs state, “Except where specifically stated or in the event of conflict in which case these Requirements will prevail,
<span style="background:yellow;mso-highlight:yellow">this document incorporates by reference the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (“Baseline Requirements”)</span>, the Network and Certificate System Security
Requirements and, in the case of EV Code Signing Certificates, the Guidelines For The Issuance And Management of Extended Validation Certificates as established by the CA/Browser Forum, copies of which are available on the CA/Browser Forum’s website at
<a href="http://www.cabforum.org">www.cabforum.org</a>.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The CSBRs do not state any requirements about suspension of code signing certificates.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">BR 4.9.13 states, “The Repository MUST NOT include entries that indicate that a Certificate is suspended.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My conclusion is that suspension of code signing certificates is not supported by the CSBRs. If there is agreement, we could make an update to the CSBRs to make this clear.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <cscwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br>
<b>Sent:</b> Tuesday, February 2, 2021 4:38 AM<br>
<b>To:</b> cscwg-public@cabforum.org<br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] Suspension of code signing certs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p>
</div>
<p>All,<o:p></o:p></p>
<p>this is probably an old matter, but I could not solve my doubts browsing the past posts.<o:p></o:p></p>
<p>I suppose, but I am not certain, that - as for SSL Server certificates - Code Signing certificates must not be suspended (that is, there must not be a CRLReason "certificateHold" in a CRL entry). But maybe I am wrong, as I cannot find the relevant language
in the Code Signing BR. Anybody, please point me at the right spot in the document.<o:p></o:p></p>
<p>TIA<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 01/02/2021 10:32, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><br>
According to the requirements, and section 13.2.1: <br>
<br>
"CAs MUST provide OCSP responses for Code Signing Certificates and Timestamp Certificates for the time period specified in their CPS, which MUST be at least 10 years after the expiration of the certificate"
<br>
<br>
However, according to Certificate Consumer policies, either CRL or OCSP is required to be used.
<br>
<br>
I would like to ask for Members to consider requiring either CRL or OCSP information to be required in end-entity certificates used for Time-stamping. The rationale is that Time-stamping Certificates are very few compared to other end-entity certificates and
CRLs should be considered sufficient because their size is not significant. <br>
<br>
Please let me know your thoughts, concerns or objections. <br>
<br>
<br>
Thank you, <br>
Dimitris. <br>
_______________________________________________ <br>
Cscwg-public mailing list <br>
<a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a> <br>
<a href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
<o:p></o:p></p>
</blockquote>
</div>
</body>
</html>