<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:游ゴシック;
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@游ゴシック";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:99.25pt 3.0cm 3.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My understanding is the same as yours.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Atsushi Inaba<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=JA style='font-family:游ゴシック'>―――――――――――――――――――――――――――――</span><o:p></o:p></p><p class=MsoNormal>GMO GlobalSign K.K.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Business Planning<o:p></o:p></p><p class=MsoNormal>Atsushi Inaba<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1-2-3, Dogenzaka, Shibuya Ku, Tokyo, Japan<o:p></o:p></p><p class=MsoNormal>150-0043<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>TEL: +81-3-6370-6671<o:p></o:p></p><p class=MsoNormal>FAX: +81-3-6370-6505<o:p></o:p></p><p class=MsoNormal>E-MAIL: <a href="mailto:atsushi.inaba@globalsign.com"><span style='color:#0563C1'>atsushi.inaba@globalsign.com</span></a><o:p></o:p></p><p class=MsoNormal><a href="URL:https://jp.globalsign.com/"><span style='color:#0563C1'>URL:https://jp.globalsign.com/</span></a><o:p></o:p></p><p class=MsoNormal><span lang=JA style='font-family:游ゴシック'>―――――――――――――――――――――――――――――</span><o:p></o:p></p><p class=MsoNormal>THANK YOU 26 YEARS Internet for Everyone<o:p></o:p></p><p class=MsoNormal><span lang=JA style='font-family:游ゴシック'>―――――――――――――――――――――――――――――</span><o:p></o:p></p><p class=MsoNormal><span lang=JA style='font-family:游ゴシック'>■</span> GMO INTERNET GROUP <span lang=JA style='font-family:游ゴシック'>■</span><span lang=JA> </span><a href="http://www.gmo.jp/"><span style='color:#0563C1'>http://www.gmo.jp/</span></a><o:p></o:p></p><p class=MsoNormal><span lang=JA style='font-family:游ゴシック'>―――――――――――――――――――――――――――――</span><o:p></o:p></p><p class=MsoNormal>This e-mail message is intended to be conveyed only to the <o:p></o:p></p><p class=MsoNormal>designated recipient(s). If you are NOT the intended <o:p></o:p></p><p class=MsoNormal>recipient(s) of this e-mail, please kindly notify the sender <o:p></o:p></p><p class=MsoNormal>immediately and delete the original message from your system.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br><b>Sent:</b> Monday, February 14, 2022 9:31 PM<br><b>To:</b> cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] FW: Invalidity Date<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>I also understand it this way.<o:p></o:p></p><p>Adriano<o:p></o:p></p><p><o:p> </o:p></p><div><p class=MsoNormal>Il 14/02/2022 12:32, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha scritto:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='margin-bottom:12.0pt'><br>Bruce,<br><br>I believe they say that <b>they do check</b> the time-stamp signature if the code signing certificate has expired.<br><br>In my understanding, this is clearly communicated by the following statement:<br><br><i>"This is not true. Assuming the signature of the signed and timestamped JAR is still valid then an expired code signing certificate is still valid as long as the timestamp is within the certificate validity period of all certificates in the signer's chain."</i><br><br>What do others think?<br><br>Dimitris.<o:p></o:p></p><div><p class=MsoNormal>On 28/1/2022 5:27 μ.μ., Bruce Morton via Cscwg-public wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Here is a response from Oracle regarding invalidity date and timestamping. I thought I would circulate to ensure that I didn’t mis-interpret.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks, Bruce.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Raji Madduri <a href="mailto:raji.madduri@oracle.com"><raji.madduri@oracle.com></a> <br><b>Sent:</b> Thursday, January 27, 2022 4:47 PM<br><b>To:</b> Bruce Morton <a href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a><br><b>Cc:</b> javase-ca-request_ww_grp <a href="mailto:javase-ca-request_ww_grp@oracle.com"><javase-ca-request_ww_grp@oracle.com></a><br><b>Subject:</b> [EXTERNAL] RE: Invalidity Date<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=1 width="100%" align=center></div><p class=MsoNormal>Hi Bruce,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>In response to your question:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='background:yellow;mso-highlight:yellow'>Is this also true if the certificate has expired? What I mean is that if the certificate expired, the signature would not be trusted, even if it was time-stamped.</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoPlainText>This is not true. Assuming the signature of the signed and timestamped JAR is still valid then an expired code signing certificate is still valid as long as the timestamp is within the certificate validity period of all certificates in the signer's chain.<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText>However, if the timestamp or TSA certificate (or any certificates in its<o:p></o:p></p><p class=MsoPlainText>chain) is expired, revoked, or otherwise invalid, then the signed code is treated as if it were not timestamped. In this case, if the signer's certificate had also expired, then it would be treated as invalid.<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText>Before deploying timestamped code, customers should always run "jarsigner -verify" to confirm that the code is properly timestamped. If there is something wrong with the timestamp, jarsigner should print out the following warning:<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText>"This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td)."<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText>Running jarsigner again with "-J-Djava.security.debug=jar" should print out information about why the timestamp was invalid.<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText>To check if certificates are revoked, you can add the "-revCheck" option to jarsigner (since JDK 15).<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Hope this helps. Let us know if you need any further clarification.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal>Raji<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> <br><b>Sent:</b> Friday, December 3, 2021 8:54 AM<br><b>To:</b> Raji Madduri <<a href="mailto:raji.madduri@oracle.com">raji.madduri@oracle.com</a>><br><b>Cc:</b> javase-ca-request_ww_grp <<a href="mailto:javase-ca-request_ww_grp@oracle.com">javase-ca-request_ww_grp@oracle.com</a>><br><b>Subject:</b> [External] : RE: Invalidity Date<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Hi Raji,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Is this also true if the certificate has expired? What I mean is that if the certificate expired, the signature would not be trusted, even if it was time-stamped.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks, Bruce.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Raji Madduri <<a href="mailto:raji.madduri@oracle.com">raji.madduri@oracle.com</a>> <br><b>Sent:</b> Thursday, October 14, 2021 1:21 PM<br><b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>><br><b>Cc:</b> javase-ca-request_ww_grp <<a href="mailto:javase-ca-request_ww_grp@oracle.com">javase-ca-request_ww_grp@oracle.com</a>><br><b>Subject:</b> [EXTERNAL] RE: Invalidity Date<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=1 width="100%" align=center></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Hi Bruce,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoPlainText>In Java Web Start and Plug-in, with respect to signed code, if a certificate is revoked, we will not load that code, regardless of when it was revoked. In other words, we don't look at either the revocation date or the invalidity date. We simply don't trust it if it is revoked.<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText>Thanks,<o:p></o:p></p><p class=MsoPlainText>Raji<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> <br><b>Sent:</b> Thursday, October 14, 2021 5:33 AM<br><b>To:</b> Raji Madduri <<a href="mailto:raji.madduri@oracle.com">raji.madduri@oracle.com</a>><br><b>Subject:</b> [External] : RE: Invalidity Date<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Hi Raji,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Just following up on this request. I believe a ballot which will suggest that the CAs stop using invalidity date will soon be proposed. I would like to change the ballot, if this will impact Java signatures.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks, Bruce.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Bruce Morton <br><b>Sent:</b> Wednesday, October 6, 2021 12:18 PM<br><b>To:</b> Raji Madduri <<a href="mailto:raji.madduri@oracle.com">raji.madduri@oracle.com</a>><br><b>Subject:</b> Invalidity Date<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Hi Raji,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Can you please advise if Java uses the invalidity date per RFC 5280, see <a href="https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc5280*section-5.3.2__;Iw!!ACWV5N9M2RV99hQ!Ysj5IUx4t6IjHNJxLooKWVbWrCyJpeSeeyxLTEHx4LwHewlHMcBMN9C-t0gD-qHRiQ$">https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.2</a>?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Windows does not use this date, so they request that we “back-date” the revocation date to support the invalidity date concept. Would like to know what to expect from Java.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks, Bruce.<o:p></o:p></p><p class=MsoNormal><i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i> <o:p></o:p></p><p class=MsoNormal><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Cscwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre></blockquote><p class=MsoNormal><br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Cscwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre></blockquote></div></body></html>