<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 12/2/2021 10:14 μ.μ., Bruce Morton
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SN6PR11MB26566873B206AE95446D6497828B9@SN6PR11MB2656.namprd11.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good point that it is risky using the BRs,
but that was the way that the CSBRs were originally written.
The same might be said about the EV Guidelines.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
You are referring to the same sentence that exists in the EV
Guidelines under section 1<br>
<br>
<i>"These Guidelines incorporate the Baseline Requirements
established by the CA/Browser Forum by reference. A copy of the
Baseline Requirements is available on the CA/Browser Forum’s
website at <a class="moz-txt-link-abbreviated" href="http://www.cabforum.org">www.cabforum.org</a>."<br>
<br>
</i>I guess I'm still unclear about what "incorporate by reference"
means. Is it adherence to the entirety of the reference? Only when
there is a lack of a similar section? Things are equally ambiguous
(EVG and Code Signing BRs) because of the different numbering
scheme.<br>
<br>
<i></i><br>
<blockquote type="cite"
cite="mid:SN6PR11MB26566873B206AE95446D6497828B9@SN6PR11MB2656.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal">I think that this might be best addressed
if we move the CSBRs to RFC 3647 format. After which, we
review the CSBRs to either confirm that the section of the BRs
if fine or the CSBRs should be updated.
<o:p></o:p></p>
</div>
</blockquote>
<br>
I agree with that approach.<br>
<br>
<blockquote type="cite"
cite="mid:SN6PR11MB26566873B206AE95446D6497828B9@SN6PR11MB2656.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I don’t believe that we should eliminate
the BRs. The reason is that there are some items that we want
to be the same to help ensure consistency across offerings and
operations. </p>
</div>
</blockquote>
<br>
I believe the WG has made a decision in previous meetings to copy
the entirety of the BRs for TLS that are meaningful for Code
Signing, into the "BRs for Code Signing" to avoid any ambiguities
and challenges regarding the version changes of the TLS BRs. The
risk that was highlighted at that meeting was that the BRs for TLS
might introduce an update that affects the Code Signing requirements
by reference, without the Code Signing Working Group having
evaluated these changes and how they affect the Code Signing
ecosystem.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:SN6PR11MB26566873B206AE95446D6497828B9@SN6PR11MB2656.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal">For instance, we have one Subscriber
Agreement for all certificates, so we would not want the
documents to conflict with each other on these requirements. I
also assume that we create root CAs to support many
certificate types, so root key generation should be the same
for all.<o:p></o:p></p>
</div>
</blockquote>
<br>
We would have direct references to the BRs, which means that the
Working Group has thought about it and makes an consious decision to
refer to a specific section of the BRs or other documents. Copying
sections of the TLS BRs into the CS BRs has been identified as the
most secure way to avoid any unintentional consequences for the code
signing ecosystem.<br>
<br>
<blockquote type="cite"
cite="mid:SN6PR11MB26566873B206AE95446D6497828B9@SN6PR11MB2656.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It would be good if we could close any
important items before going through this project. I think
that it would be best if we could get the subscriber key
generation/protection/audit ballot done first.</p>
</div>
</blockquote>
<br>
That seems like a good way to proceed.<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:SN6PR11MB26566873B206AE95446D6497828B9@SN6PR11MB2656.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dimitris Zacharopoulos
(HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>
<br>
<b>Sent:</b> Tuesday, February 2, 2021 12:02 PM<br>
<b>To:</b> Adriano Santoni
<a class="moz-txt-link-rfc2396E" href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Bruce Morton
<a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Suspension
of code signing certs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
This interpretation is very risky because the BRs were not
developed with code signing in mind but with TLS Certificates.
I believe the working group should focus on finding areas that
are in the BRs, don't exist in the CSBRs but are considered
meaningful for code signing certificates and update the CSBRs.
This will avoid any ambiguities about the expectations and
keep CAs and auditors focused on one document with direct
references to TLS BRs and EV Guidelines.<br>
<br>
For example, in 17.5 of the CSBRs, we have clear requirements
for EV Code Signing Certificates. Does this mean that 8.7 of
the BRs applies and this requirement is also applicable for
the non-EV Code Signing Certificates? One is explicitly called
out and the other is implicit according to this
interpretation.<br>
<br>
Similarly for the <a
href="https://urldefense.com/v3/__https:/github.com/cabforum/servercert/blob/main/docs/BR.md*722-crl-and-crl-entry-extensions__;Iw!!FJ-Y8qCqXTj2!KXIOcoWJx5dE6sqoBkQJNaMOEeSvD_TggxYHH8QDL11Vr-0pB1zooot9p1bigHR3YZA$"
moz-do-not-send="true">
CRL profile</a> and many other cases. These were recent
changes to the TLS BRs. Are they implicit requirements for
code signing certificates?<br>
<br>
I believe we should discuss and clarify this issue soon.<br>
<br>
<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 2/2/2021 6:47 μ.μ., Adriano Santoni
via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Thank you Bruce.<o:p></o:p></p>
<p>That answers my doubt, although indirectly, and I agree
with your interpretation.<o:p></o:p></p>
<p>I am not sure if it is worth to explicitate this in the
CSBR ....<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">Il 02/02/2021 14:56, Bruce Morton ha
scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">The CSBRs state, “Except where
specifically stated or in the event of conflict in which
case these Requirements will prevail,
<span style="background:yellow;mso-highlight:yellow">this
document incorporates by reference the Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates (“Baseline Requirements”)</span>,
the Network and Certificate System Security Requirements
and, in the case of EV Code Signing Certificates, the
Guidelines For The Issuance And Management of Extended
Validation Certificates as established by the CA/Browser
Forum, copies of which are available on the CA/Browser
Forum’s website at
<a
href="https://urldefense.com/v3/__http:/www.cabforum.org__;!!FJ-Y8qCqXTj2!KXIOcoWJx5dE6sqoBkQJNaMOEeSvD_TggxYHH8QDL11Vr-0pB1zooot9p1biqVQaYfI$"
moz-do-not-send="true">
www.cabforum.org</a>.”<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The CSBRs do not state any requirements
about suspension of code signing certificates.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">BR 4.9.13 states, “The Repository MUST
NOT include entries that indicate that a Certificate is
suspended.”<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">My conclusion is that suspension of
code signing certificates is not supported by the CSBRs.
If there is agreement, we could make an update to the
CSBRs to make this clear.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true">
<cscwg-public-bounces@cabforum.org></a> <b>On
Behalf Of </b>Adriano Santoni via Cscwg-public<br>
<b>Sent:</b> Tuesday, February 2, 2021 4:38 AM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] Suspension
of code signing certs<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">WARNING: This email originated
outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></p>
</div>
<p>All,<o:p></o:p></p>
<p>this is probably an old matter, but I could not solve my
doubts browsing the past posts.<o:p></o:p></p>
<p>I suppose, but I am not certain, that - as for SSL Server
certificates - Code Signing certificates must not be
suspended (that is, there must not be a CRLReason
"certificateHold" in a CRL entry). But maybe I am wrong,
as I cannot find the relevant language in the Code Signing
BR. Anybody, please point me at the right spot in the
document.<o:p></o:p></p>
<p>TIA<o:p></o:p></p>
<p>Adriano<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal">Il 01/02/2021 10:32, Dimitris
Zacharopoulos (HARICA) via Cscwg-public ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><br>
According to the requirements, and section 13.2.1: <br>
<br>
"CAs MUST provide OCSP responses for Code Signing
Certificates and Timestamp Certificates for the time
period specified in their CPS, which MUST be at least 10
years after the expiration of the certificate"
<br>
<br>
However, according to Certificate Consumer policies,
either CRL or OCSP is required to be used.
<br>
<br>
I would like to ask for Members to consider requiring
either CRL or OCSP information to be required in
end-entity certificates used for Time-stamping. The
rationale is that Time-stamping Certificates are very
few compared to other end-entity certificates and CRLs
should be considered sufficient because their size is
not significant. <br>
<br>
Please let me know your thoughts, concerns or
objections. <br>
<br>
<br>
Thank you, <br>
Dimitris. <br>
_______________________________________________ <br>
Cscwg-public mailing list <br>
<a href="mailto:Cscwg-public@cabforum.org"
moz-do-not-send="true">Cscwg-public@cabforum.org</a> <br>
<a
href="https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/cscwg-public__;!!FJ-Y8qCqXTj2!KXIOcoWJx5dE6sqoBkQJNaMOEeSvD_TggxYHH8QDL11Vr-0pB1zooot9p1biIl3XcW0$"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
<o:p></o:p></p>
</blockquote>
</blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/cscwg-public__;!!FJ-Y8qCqXTj2!KXIOcoWJx5dE6sqoBkQJNaMOEeSvD_TggxYHH8QDL11Vr-0pB1zooot9p1biIl3XcW0$" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>