<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Yes, I can confirm in the process of validating the end-entity TSA certificate, WVT does validate the validity of the issuing CA and any sub CAs in the chain all the way to the root CA.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ian<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <cscwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br>
<b>Sent:</b> Friday, January 14, 2022 4:02 AM<br>
<b>To:</b> cscwg-public@cabforum.org<br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Follow-up on Time-stamp Authority Items<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 13/1/2022 8:02 μ.μ., Ian McMillan via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Folks,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I followed up to make sure we have the behavior for Windows understood. WVT (WinVerifyTrust) will do revocation checking for the TSA cert and if timestamped with that TSA, and it will consider the signature as invalid even if the signing
cert is still valid at the time of checking. Corey’s point about the broad usage leads to larger impact in the revocation scenario does play a large factor and why I would like to see the TSA entity certificate max validity come down to 15 months, and we remove
the rekey requirement. <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Hello Ian,<br>
<br>
Thank you for the feedback about WVT, it's very useful. I believe most CAs prefer to have the Time-stamping Issuing CA offline (treated as a Root) because I assume we weren't sure if the timestamp validation extends to the certificate of the Issuing CA. Can
you also please confirm that the validity of the Time-stamping <b>Issuing CA Certificate</b> (at the subCA level) is checked by WVT?
<br>
<br>
If Windows checks for the validity of the issuing CA Certificate, some CAs might consider bringing the TSA Issuing CA online.<br>
<br>
Thanks,<br>
Dimitris.<o:p></o:p></p>
</div>
</body>
</html>