<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal>There appears to be contradictory language in CSBR 11.2.1, as it states the following:<o:p></o:p></p><p class=MsoNormal style='text-indent:.5in'>A Timestamp Authority is NOT REQUIRED to validate in any way data submitted to it for timestamping. It simply adds the time to the data that are presented to it, signs the result and appends its own Timestamp Certificate.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The clause “and appends it own Timestamp Certificate” is an unconditional requirement for a timestamp response to include the TSA certificate chain. This conflicts with CSBR 16.1 (1), which mandates compliance with RFC 3161, which in turn states in RFC 3161 section 2.4.1:<o:p></o:p></p><p class=MsoNormal> If the certReq field is missing or if the certReq field is present<o:p></o:p></p><p class=MsoNormal> and set to false then the certificates field from the SignedData<o:p></o:p></p><p class=MsoNormal> structure MUST not be present in the response.<b><o:p></o:p></b></p><p class=MsoNormal><b><span style='font-family:"Arial",sans-serif;color:#0174C3'><o:p> </o:p></span></b></p><p class=MsoNormal>The introduction of the contradictory language in 11.2.1 was introduced as part of the OV CS/EV CS BR document merge last year, as I am unable to find any instances of that text in previous versions of the documents. Additionally, the intent of the document merge was not to introduce normative changes, so I believe the intent is that CAs should respect the certReq field value in the timestamp request and conditionally include the certificate chain.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If there is agreement on this interpretation, I’d be happy to draft a clarification ballot.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<b><span style='font-family:"Arial",sans-serif;color:#0174C3'><o:p></o:p></span></b></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>