<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
In addition to my previous post, we should also consider the
necessity of the following requirement which is applicable to
Time-stamping Certificates. <br>
<br>
"The CA SHALL update and reissue CRLs at least (i) once every twelve
months ", and similarly for OCSP responses.<br>
<br>
If the entire lifetime of a Timestamping certificate is to be
changed to 15 months, this requirement doesn't make much sense to
me.<br>
<br>
If we want to make CRLs mandatory, we must also update Appendix B
(3) B.<br>
<br>
Since OCSP is optional, we should also update Appendix B (2) C and
(4) C to match the updated language of (3) C.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 10/3/2021 12:48 μ.μ., Dimitris
Zacharopoulos (HARICA) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:41aac3b0-7e66-9eed-e2e0-8072a14573a0@harica.gr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<br>
Dear Ian,<br>
<br>
As I mentioned at our last meeting, we should take into account
the fact that other Code Signing Certificate Consumers may use the
timestamps in a different way and would invalidate code if the
timestamp certificate expires. <br>
<br>
We should probably do some research and find out how Code Signing
Certificate Consumers, like Oracle (for Java application), handle
this issue so we do not create any unintentional problems to the
code signing ecosystem.<br>
<br>
If any member has investigated the issue, it would be great to get
some additional feedback.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/3/2021 7:41 μ.μ., Ian McMillan
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017818140154-d51f1898-1c75-4746-9dcc-16aeba364309-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.xmsolistparagraph, li.xmsolistparagraph, div.xmsolistparagraph
{mso-style-name:x_msolistparagraph;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><b>Ballot CSC-8: Update to OCSP responses
& Timestamping certificate max validity<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello CSCWG members,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="xmsonormal">In light of the issues we’ve discussed
on the current requirements for OCSP responses for both code
signing and timestamping certificates and the max validity
of Timestamping certificates, I’ve made a full pass at the
CSBRs now to update them for two things: <o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="xmsolistparagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">Timestamping
certificates max validity moved from 135 to 15 months
(9.4)<o:p></o:p></li>
<li class="xmsolistparagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">Made OCSP
optional with CRLs being required (13.2.1, 13.2.2,
Appendix B: 3C, 5C)<o:p></o:p></li>
</ol>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">In Appendix B, I also noted that the
requirements for the Timestamping (5C) and Code Signing (3C)
certificates had AIA value requirements to include the root
certificate URL, but that should be the issuing CA URL.
Looked to be likely an old copy-paste issue from long ago,
so I’ve updated those as well.<o:p></o:p></p>
<p class="xmsonormal"><o:p> </o:p></p>
<p class="xmsonormal">I shared these edits with Bruce Morton
and Tim Hollebeek, and I appreciated their feedback and
guidance. <o:p></o:p></p>
<p class="xmsonormal"><o:p> </o:p></p>
<p class="xmsonormal"><b>ASK:</b> Please review the attached
redline version of the CSBRs with these changes and provide
feedback. If you are willing to sponsor this in a new ballot
(CSC-8), please let me know.<o:p></o:p></p>
<p class="xmsonormal"><o:p> </o:p></p>
<p class="xmsonormal">Thank you,<o:p></o:p></p>
<p class="xmsonormal">Ian<o:p></o:p></p>
<p class="xmsonormal"><o:p> </o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>