<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">What Dimitris is saying deserves
consideration, IMO.</font></p>
<p><font face="Calibri">At any rate, the comparison between the two
sets of requirements is made a bit difficult by their different
articulation, as one is RFC3647-based while the other is not.</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"></font><br>
</p>
<div class="moz-cite-prefix">Il 02/02/2021 18:01, Dimitris
Zacharopoulos (HARICA) ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:6822c040-4de1-5bd9-6775-78bbe701d54b@harica.gr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<br>
This interpretation is very risky because the BRs were not
developed with code signing in mind but with TLS Certificates. I
believe the working group should focus on finding areas that are
in the BRs, don't exist in the CSBRs but are considered meaningful
for code signing certificates and update the CSBRs. This will
avoid any ambiguities about the expectations and keep CAs and
auditors focused on one document with direct references to TLS BRs
and EV Guidelines.<br>
<br>
For example, in 17.5 of the CSBRs, we have clear requirements for
EV Code Signing Certificates. Does this mean that 8.7 of the BRs
applies and this requirement is also applicable for the non-EV
Code Signing Certificates? One is explicitly called out and the
other is implicit according to this interpretation.<br>
<br>
Similarly for the <a moz-do-not-send="true"
href="https://github.com/cabforum/servercert/blob/main/docs/BR.md#722-crl-and-crl-entry-extensions">CRL
profile</a> and many other cases. These were recent changes to
the TLS BRs. Are they implicit requirements for code signing
certificates?<br>
<br>
I believe we should discuss and clarify this issue soon.<br>
<br>
<br>
Dimitris.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 2/2/2021 6:47 μ.μ., Adriano
Santoni via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017763a46929-224b4815-0e3f-4430-8981-85938af107cf-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p><font face="Calibri">Thank you Bruce.</font></p>
<p><font face="Calibri">That answers my doubt, although
indirectly, and I agree with your interpretation.</font></p>
<p><font face="Calibri">I am not sure if it is worth to
explicitate this in the CSBR ....<br>
</font></p>
<p><font face="Calibri">Adriano</font><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 02/02/2021 14:56, Bruce Morton
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:SN6PR11MB2656529BCC218EA39E09C01782B59@SN6PR11MB2656.namprd11.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">The CSBRs state, “Except where
specifically stated or in the event of conflict in which
case these Requirements will prevail, <span
style="background:yellow;mso-highlight:yellow">this
document incorporates by reference the Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates (“Baseline Requirements”)</span>,
the Network and Certificate System Security Requirements
and, in the case of EV Code Signing Certificates, the
Guidelines For The Issuance And Management of Extended
Validation Certificates as established by the CA/Browser
Forum, copies of which are available on the CA/Browser
Forum’s website at <a href="http://www.cabforum.org"
moz-do-not-send="true">www.cabforum.org</a>.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The CSBRs do not state any requirements
about suspension of code signing certificates.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">BR 4.9.13 states, “The Repository MUST
NOT include entries that indicate that a Certificate is
suspended.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My conclusion is that suspension of
code signing certificates is not supported by the CSBRs.
If there is agreement, we could make an update to the
CSBRs to make this clear.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <a
class="moz-txt-link-rfc2396E"
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br>
<b>Sent:</b> Tuesday, February 2, 2021 4:38 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated"
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] Suspension
of code signing certs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">WARNING: This email originated
outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></p>
</div>
<p>All,<o:p></o:p></p>
<p>this is probably an old matter, but I could not solve my
doubts browsing the past posts.<o:p></o:p></p>
<p>I suppose, but I am not certain, that - as for SSL Server
certificates - Code Signing certificates must not be
suspended (that is, there must not be a CRLReason
"certificateHold" in a CRL entry). But maybe I am wrong,
as I cannot find the relevant language in the Code Signing
BR. Anybody, please point me at the right spot in the
document.<o:p></o:p></p>
<p>TIA<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 01/02/2021 10:32, Dimitris
Zacharopoulos (HARICA) via Cscwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><br>
According to the requirements, and section 13.2.1: <br>
<br>
"CAs MUST provide OCSP responses for Code Signing
Certificates and Timestamp Certificates for the time
period specified in their CPS, which MUST be at least 10
years after the expiration of the certificate" <br>
<br>
However, according to Certificate Consumer policies,
either CRL or OCSP is required to be used. <br>
<br>
I would like to ask for Members to consider requiring
either CRL or OCSP information to be required in
end-entity certificates used for Time-stamping. The
rationale is that Time-stamping Certificates are very
few compared to other end-entity certificates and CRLs
should be considered sufficient because their size is
not significant. <br>
<br>
Please let me know your thoughts, concerns or
objections. <br>
<br>
<br>
Thank you, <br>
Dimitris. <br>
_______________________________________________ <br>
Cscwg-public mailing list <br>
<a href="mailto:Cscwg-public@cabforum.org"
moz-do-not-send="true">Cscwg-public@cabforum.org</a> <br>
<a
href="https://lists.cabforum.org/mailman/listinfo/cscwg-public"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
<o:p></o:p></p>
</blockquote>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</blockquote>
</body>
</html>