<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p><font face="Calibri">Me too <br>
</font></p>
<p><font face="Calibri">+1</font><br>
</p>
<div class="moz-cite-prefix">Il 14/04/2021 00:10, Ian McMillan via
Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:01000178cd495bae-56fa6b1c-e1d3-4247-86d3-d8081fdcedea-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">I am very much supportive of this TS CSBR
compliant OID and getting it added.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ian<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton
<a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a> <br>
<b>Sent:</b> Tuesday, April 13, 2021 8:09 AM<br>
<b>To:</b> Corey Bonnell
<a class="moz-txt-link-rfc2396E" href="mailto:Corey.Bonnell@digicert.com"><Corey.Bonnell@digicert.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Ian McMillan
<a class="moz-txt-link-rfc2396E" href="mailto:ianmcm@microsoft.com"><ianmcm@microsoft.com></a><br>
<b>Subject:</b> [EXTERNAL] RE: Code Signing Dedicated Root<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Should we first have the OID approved and
designated by the CAB Forum?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Corey Bonnell <<a
href="mailto:Corey.Bonnell@digicert.com"
moz-do-not-send="true">Corey.Bonnell@digicert.com</a>>
<br>
<b>Sent:</b> Tuesday, April 13, 2021 11:07 AM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a>;
Ian McMillan <<a href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true">ianmcm@microsoft.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Code Signing Dedicated Root<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender
and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="1" align="center">
</div>
<p class="MsoNormal">Hi Bruce,<o:p></o:p></p>
<p class="MsoNormal">I think this OID looks good; adding a
requirement for Timestamp Certificates to assert this OID
should be a simple modification of 9.3.1. I’d be happy to
draft the update if someone can send me the “master copy” of
the Word doc for the current version of the CSBRs.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Bruce Morton via Cscwg-public<br>
<b>Sent:</b> Monday, April 12, 2021 10:30 AM<br>
<b>To:</b> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true">ianmcm@microsoft.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Code Signing Dedicated
Root<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Another action is that we should create a
timestamping certificate policy OID to add to into the
timestamping certificates, where the OID is referenced from
the CSBRs. This would mean that any timestamping certificate
with this OID would meet the requirements of the CSBRs.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If agreed, I suggest: <b><i>codesigning-requirements(4)
timestamp(2) — 2.23.140.1.4.2 (Timestamp Certificate
issued in compliance with the Code Signing Baseline
Requirements)</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true">ianmcm@microsoft.com</a>>
<br>
<b>Sent:</b> Wednesday, March 17, 2021 4:10 PM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] RE: Code Signing Dedicated Root<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender
and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="1" align="center">
</div>
<p class="MsoNormal">Thank you Bruce! <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This is a great subject to bring forward,
and one that has been on my mind as well (especially after
Ryan’s presentation at the last F2F).
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
<p class="MsoNormal">Ian <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Bruce Morton via Cscwg-public<br>
<b>Sent:</b> Wednesday, March 17, 2021 12:44 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] Code Signing
Dedicated Root<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Based on the F2F discussion of dedicated
PKI hierarchy for TLS and S/MIME, I think we should also
discuss for Code Signing.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My understanding is that the direction is
to have 1) one policy, 2) one (or more) dedicated hierarchies
to support the policy, and 3) one audit.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The good news is the CSWG is ready going in
the right direction. We have created one policy per the CSBRs
which cover non-EV/EV code signing certificates and the
associated time-stamping certificates. In addition, WebTrust
has created one audit criteria, which would be able to cover
dedicated roots, subordinates CAs and subscriber certificates<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To address a dedicated hierarchy for Code
Signing, a simple implementation would be:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:2.75pt;mso-list:l0 level1 lfo3">One RSA
root (or ECC root) for non-EV codesigning, EV code signing
and time-stamping subordinate CAs, and associated subscriber
certificates<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:2.75pt;mso-list:l0 level1 lfo3">The
hierarchy is to support the policy associated with only the
CSBRs only and would not by other requirements which would
impact the CSBR policy<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:2.75pt;mso-list:l0 level1 lfo3">Subscriber
certificates would have the applicable CA/Browser Forum
certificate policy OID to indicate they were issued iaw the
CSBRs<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have thought about other requirements for
a Time-stamping dedicated root and hierarchy. As Time-stamping
only is out of scope for the CSWG, I think we can only address
time-stamping as it applies to code signing certificates per
the CSBRs. I also think that a single root to cover both code
signing and time-stamping would make it easier for ubiquity
and for end user validation of signatures.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regarding testing of roots, the CSBRs refer
to SSL BR Appendix C. This is an incorrect reference as the
requirement is now in SSL BR 2.2, which states:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">“The CA SHALL
host
test Web pages that allow Application Software Suppliers to
test their software with Subscriber Certificates that chain up
to each publicly trusted Root Certificate. At a minimum, the
CA SHALL host separate Web pages using Subscriber Certificates
that are (i) valid, (ii) revoked, and (iii) expired.”
<o:p></o:p></p>
<p class="MsoNormal">With a dedicated hierarchy which only
issues code signing and time-stamping certificates, we cannot
issue SSL certificates for Web pages. This only works now as
we use multi-purpose roots. I think we should change this
requirement or allow an option, where the CA must post on a
test-site, signed/time-stamped code where the certificates
were issued from Subordinate CAs which were issued from the
Root being tested.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Since we are in the early phase of moving
to 4096-bit RSA CAs for code signing, it would be great if we
can agree as to what would be acceptable for dedicated
hierarchy with the goal of getting this right from the
beginning.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
</body>
</html>