<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
Yes, I was wondering if this is in fact allowed by the BRs. In a
case where you have a Root that doesn't have the SSL trust-bits, I
am sure you can do that. But what happens if your Root is included
in the browsers with the SSL trust-bits set?<br>
<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 8/9/2016 6:14 μμ, Inigo Barreira
wrote:<br>
</div>
<blockquote
cite="mid:E677B1B22533A54B94F55AD3825E190BFECAC4@mx3.startssl.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EstiloCorreo17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EstiloCorreo19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1197348523;
mso-list-template-ids:-1058535630;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Well,
it depends. There are some software vendors that “request”
to have the TSA signed by a known certificate, and as they
only trust on root certificate, usually to get your
timestamps “recognized” you have to sign the TSA with the CA
root cert just in case.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">De:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>En nombre de </b>Dimitris
Zacharopoulos<br>
<b>Enviado el:</b> jueves, 8 de septiembre de 2016 16:39<br>
<b>Para:</b> Bruce Morton<br>
<b>CC:</b> <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Asunto:</b> Re: [cabfpub] Questions regarding
timestamping certificates<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 8/9/2016 4:59 μμ, Bruce Morton wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Dimitris,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t think that the spirit of BR 6.1.7 would be for a
root CA to issue a certificate for a TSA. Also, the
members of the Code Signing Working Group have recommended
that there be a separate CA for issuing time-stamping
certificates which is defined in Appendix B (4) of the
Minimum Requirements for Code Signing certificates.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
That was my initial reading too and thank you for confirming.
If others think that's not the case, please let us know.<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You
may want to get feedback directly from the vendor of the
client software which will validate the time-stamp
signatures.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><br>
I don't think that will be necessary because if the standards
require a 2 level certificate chain verification, the client
software must support it :)<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Bruce.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">
Dimitris Zacharopoulos [<a moz-do-not-send="true"
href="mailto:jimmy@it.auth.gr">mailto:jimmy@it.auth.gr</a>]
<br>
<b>Sent:</b> Thursday, September 8, 2016 9:03 AM<br>
<b>To:</b> Bruce Morton <a moz-do-not-send="true"
href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Questions regarding
timestamping certificates</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/9/2016 3:07 μμ, Bruce Morton wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Dimitris,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
think the best document to use for Time-stamping Authority
is the Minimum Requirements for Code Signing certificates,
see <a moz-do-not-send="true"
href="https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf">https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf</a>.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,
Bruce.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Thank you Bruce, you helped me find answers related to my
second question. I am not 100% sure if it answers my first
question. The minimum requirements for code signing document,
describes a scenario where there are explicit Subordinate CA
Certificates for TimeStamping but there is no requirement that
forbids end-entity certificates to be issued directly from the
Root (at least not one I could spot straight away). <br>
<br>
I guess my 1st question is more focused on what is allowed
under the currently approved CA/B Forum Baseline Requirements.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Dimitris Zacharopoulos<br>
<b>Sent:</b> Thursday, September 8, 2016 4:34 AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] Questions regarding
timestamping certificates</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hello
everyone,<br>
<br>
We are setting up a new Timestamping Authority and we are
looking for specific rules that apply to certificates and
subCA Certificates related to timestamping. While reading
various standards and the CA/B Forum documents, and after
looking at various existing implementations of
publicly-trusted CAs, I have some questions and would
appreciate any feedback from the forum. Although the BRs
apply to SSL certificates, some Root Certificates might be
used for both SSL and timestamping services. So the
questions that follow, apply to CAs that use the same Root
Certificate for both SSL and timestamping purposes. Of
course, the EV CodeSigning requirements also define some
rules for "EV Timestamp Authorities".<o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">Section 6.1.7 of the Baseline Requirements
states that the Root CA Private Keys MUST NOT be used to
sign end-entity certificates with some exceptions. This
exception list does not specifically mention end-entity
certificates with EKU id-kp-timeStamping. Are Root CAs
allowed to directly issue end-entity certificates for
timestamping authorities (end-entity certificates with EKU
only id-kp-timeStamping)?<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">Section 4.9.7 describes the CRL issuance
frequency for Subscriber and Subordinate CA Certificates.
If there is a Subordinate CA Certificate constrained with
EKU id-kp-timeStamping, is an end-entity certificate (with
only id-kp-timeStamping) issued from that subCA considered
a "Subscriber" Certificate? Should this subCA issue CRLs
every 7 days or every 12 months? My understanding
(according to section 1.1 of the BRs) is that the
end-entity certificates from that subCA are not required
to comply with the CA/B Forum BRs. This should allow the
CA to choose the CRL issuance (from that restricted
subCA), to exceed the 7-day requirement.<o:p></o:p></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Thank you in advance.<br>
<br>
<br>
Dimitris Zacharopoulos.<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>