<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">I also understand it this way.<br>
</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"></font><br>
</p>
<div class="moz-cite-prefix">Il 14/02/2022 12:32, Dimitris
Zacharopoulos (HARICA) via Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100017ef80138e1-59d4ca04-bcc5-4bdb-a0b4-d0d29c7d86c6-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<br>
Bruce,<br>
<br>
I believe they say that <b>they do check</b> the time-stamp
signature if the code signing certificate has expired.<br>
<br>
In my understanding, this is clearly communicated by the following
statement:<br>
<br>
<i>"This is not true. Assuming the signature of the signed and
timestamped JAR is still valid then an expired code signing
certificate is still valid as long as the timestamp is within
the certificate validity period of all certificates in the
signer's chain."</i><br>
<br>
What do others think?<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 28/1/2022 5:27 μ.μ., Bruce Morton
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017ea14c0a0d-1faee782-6812-4b7d-a819-98cf318b47c0-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Here is a response from Oracle regarding
invalidity date and timestamping. I thought I would
circulate to ensure that I didn’t mis-interpret.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Raji Madduri <a
class="moz-txt-link-rfc2396E"
href="mailto:raji.madduri@oracle.com"
moz-do-not-send="true"><raji.madduri@oracle.com></a>
<br>
<b>Sent:</b> Thursday, January 27, 2022 4:47 PM<br>
<b>To:</b> Bruce Morton <a
class="moz-txt-link-rfc2396E"
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"><Bruce.Morton@entrust.com></a><br>
<b>Cc:</b> javase-ca-request_ww_grp <a
class="moz-txt-link-rfc2396E"
href="mailto:javase-ca-request_ww_grp@oracle.com"
moz-do-not-send="true"><javase-ca-request_ww_grp@oracle.com></a><br>
<b>Subject:</b> [EXTERNAL] RE: Invalidity Date<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="100%" size="2" align="center"> </div>
<p class="MsoNormal">Hi Bruce,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In response to your question:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="background:yellow;mso-highlight:yellow">Is this
also true if the certificate has expired? What I mean is
that if the certificate expired, the signature would not
be trusted, even if it was time-stamped.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">This is not true. Assuming the
signature of the signed and timestamped JAR is still valid
then an expired code signing certificate is still valid as
long as the timestamp is within the certificate validity
period of all certificates in the signer's chain.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">However, if the timestamp or TSA
certificate (or any certificates in its<o:p></o:p></p>
<p class="MsoPlainText">chain) is expired, revoked, or
otherwise invalid, then the signed code is treated as if it
were not timestamped. In this case, if the signer's
certificate had also expired, then it would be treated as
invalid.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Before deploying timestamped code,
customers should always run "jarsigner -verify" to confirm
that the code is properly timestamped. If there is something
wrong with the timestamp, jarsigner should print out the
following warning:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">"This jar contains signatures that do
not include a timestamp. Without a timestamp, users may not
be able to validate this jar after any of the signer
certificates expire (as early as %1$tY-%1$tm-%1$td)."<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Running jarsigner again with
"-J-Djava.security.debug=jar" should print out information
about why the timestamp was invalid.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">To check if certificates are revoked,
you can add the "-revCheck" option to jarsigner (since JDK
15).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hope this helps. Let us know if you need
any further clarification.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Raji<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true" class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>>
<br>
<b>Sent:</b> Friday, December 3, 2021 8:54 AM<br>
<b>To:</b> Raji Madduri <<a
href="mailto:raji.madduri@oracle.com"
moz-do-not-send="true" class="moz-txt-link-freetext">raji.madduri@oracle.com</a>><br>
<b>Cc:</b> javase-ca-request_ww_grp <<a
href="mailto:javase-ca-request_ww_grp@oracle.com"
moz-do-not-send="true" class="moz-txt-link-freetext">javase-ca-request_ww_grp@oracle.com</a>><br>
<b>Subject:</b> [External] : RE: Invalidity Date<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Raji,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is this also true if the certificate has
expired? What I mean is that if the certificate expired, the
signature would not be trusted, even if it was time-stamped.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Raji Madduri <<a
href="mailto:raji.madduri@oracle.com"
moz-do-not-send="true" class="moz-txt-link-freetext">raji.madduri@oracle.com</a>>
<br>
<b>Sent:</b> Thursday, October 14, 2021 1:21 PM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true" class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>><br>
<b>Cc:</b> javase-ca-request_ww_grp <<a
href="mailto:javase-ca-request_ww_grp@oracle.com"
moz-do-not-send="true" class="moz-txt-link-freetext">javase-ca-request_ww_grp@oracle.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Invalidity Date<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="100%" size="1" align="center"> </div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Bruce,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">In Java Web Start and Plug-in, with
respect to signed code, if a certificate is revoked, we will
not load that code, regardless of when it was revoked. In
other words, we don't look at either the revocation date or
the invalidity date. We simply don't trust it if it is
revoked.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thanks,<o:p></o:p></p>
<p class="MsoPlainText">Raji<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true" class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>>
<br>
<b>Sent:</b> Thursday, October 14, 2021 5:33 AM<br>
<b>To:</b> Raji Madduri <<a
href="mailto:raji.madduri@oracle.com"
moz-do-not-send="true" class="moz-txt-link-freetext">raji.madduri@oracle.com</a>><br>
<b>Subject:</b> [External] : RE: Invalidity Date<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Raji,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Just following up on this request. I
believe a ballot which will suggest that the CAs stop using
invalidity date will soon be proposed. I would like to
change the ballot, if this will impact Java signatures.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton <br>
<b>Sent:</b> Wednesday, October 6, 2021 12:18 PM<br>
<b>To:</b> Raji Madduri <<a
href="mailto:raji.madduri@oracle.com"
moz-do-not-send="true" class="moz-txt-link-freetext">raji.madduri@oracle.com</a>><br>
<b>Subject:</b> Invalidity Date<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Raji,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can you please advise if Java uses the
invalidity date per RFC 5280, see <a
href="https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc5280*section-5.3.2__;Iw!!ACWV5N9M2RV99hQ!Ysj5IUx4t6IjHNJxLooKWVbWrCyJpeSeeyxLTEHx4LwHewlHMcBMN9C-t0gD-qHRiQ$"
moz-do-not-send="true">
https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.2</a>?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Windows does not use this date, so they
request that we “back-date” the revocation date to support
the invalidity date concept. Would like to know what to
expect from Java.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><i>Any email and files/attachments
transmitted with it are confidential and are intended
solely for the use of the individual or entity to whom
they are addressed. If this message has been sent to you
in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust
immediately</u> and delete the message from your system.</i>
<o:p></o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
</body>
</html>