<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello everyone,<br>
<br>
We are setting up a new Timestamping Authority and we are looking
for specific rules that apply to certificates and subCA Certificates
related to timestamping. While reading various standards and the
CA/B Forum documents, and after looking at various existing
implementations of publicly-trusted CAs, I have some questions and
would appreciate any feedback from the forum. Although the BRs apply
to SSL certificates, some Root Certificates might be used for both
SSL and timestamping services. So the questions that follow, apply
to CAs that use the same Root Certificate for both SSL and
timestamping purposes. Of course, the EV CodeSigning requirements
also define some rules for "EV Timestamp Authorities".<br>
<br>
<ol>
<li>Section 6.1.7 of the Baseline Requirements states that the
Root CA Private Keys MUST NOT be used to sign end-entity
certificates with some exceptions. This exception list does not
specifically mention end-entity certificates with EKU
id-kp-timeStamping. Are Root CAs allowed to directly issue
end-entity certificates for timestamping authorities (end-entity
certificates with EKU only id-kp-timeStamping)?</li>
<li>Section 4.9.7 describes the CRL issuance frequency for
Subscriber and Subordinate CA Certificates. If there is a
Subordinate CA Certificate constrained with EKU
id-kp-timeStamping, is an end-entity certificate (with only
id-kp-timeStamping) issued from that subCA considered a
"Subscriber" Certificate? Should this subCA issue CRLs every 7
days or every 12 months? My understanding (according to section
1.1 of the BRs) is that the end-entity certificates from that
subCA are not required to comply with the CA/B Forum BRs. This
should allow the CA to choose the CRL issuance (from that
restricted subCA), to exceed the 7-day requirement.<br>
</li>
</ol>
<br>
Thank you in advance.<br>
<br>
<br>
Dimitris Zacharopoulos.<br>
<br>
<br>
<br>
</body>
</html>