<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 8/9/2016 4:59 μμ, Bruce Morton
wrote:<br>
</div>
<blockquote
cite="mid:a3c0a365b0f94ae18c987febe11f27ee@PMSPEX04.corporate.datacard.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1233614116;
mso-list-template-ids:1512974524;}
@list l1
{mso-list-id:1534683772;
mso-list-template-ids:-1313551512;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
Dimitris,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
don’t think that the spirit of BR 6.1.7 would be for a root
CA to issue a certificate for a TSA. Also, the members of
the Code Signing Working Group have recommended that there
be a separate CA for issuing time-stamping certificates
which is defined in Appendix B (4) of the
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Minimum
Requirements for Code Signing certificates.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
That was my initial reading too and thank you for confirming. If
others think that's not the case, please let us know.<br>
<br>
<blockquote
cite="mid:a3c0a365b0f94ae18c987febe11f27ee@PMSPEX04.corporate.datacard.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">You
may want to get feedback directly from the vendor of the
client software which will validate the time-stamp
signatures.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
I don't think that will be necessary because if the standards
require a 2 level certificate chain verification, the client
software must support it :)<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<blockquote
cite="mid:a3c0a365b0f94ae18c987febe11f27ee@PMSPEX04.corporate.datacard.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Bruce.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
Dimitris Zacharopoulos [<a class="moz-txt-link-freetext" href="mailto:jimmy@it.auth.gr">mailto:jimmy@it.auth.gr</a>]
<br>
<b>Sent:</b> Thursday, September 8, 2016 9:03 AM<br>
<b>To:</b> Bruce Morton
<a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a>; <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Questions regarding
timestamping certificates<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 8/9/2016 3:07 μμ, Bruce Morton wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
Dimitris,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
think the best document to use for Time-stamping Authority
is the Minimum Requirements for Code Signing certificates,
see
<a moz-do-not-send="true"
href="https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf">https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf</a>.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks,
Bruce.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Thank you Bruce, you helped me find answers related to my
second question. I am not 100% sure if it answers my first
question. The minimum requirements for code signing document,
describes a scenario where there are explicit Subordinate CA
Certificates for TimeStamping but there is no requirement that
forbids end-entity certificates to be issued directly from the
Root (at least not one I could spot straight away).
<br>
<br>
I guess my 1st question is more focused on what is allowed
under the currently approved CA/B Forum Baseline Requirements.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Dimitris Zacharopoulos<br>
<b>Sent:</b> Thursday, September 8, 2016 4:34 AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] Questions regarding
timestamping certificates</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hello
everyone,<br>
<br>
We are setting up a new Timestamping Authority and we are
looking for specific rules that apply to certificates and
subCA Certificates related to timestamping. While reading
various standards and the CA/B Forum documents, and after
looking at various existing implementations of
publicly-trusted CAs, I have some questions and would
appreciate any feedback from the forum. Although the BRs
apply to SSL certificates, some Root Certificates might be
used for both SSL and timestamping services. So the
questions that follow, apply to CAs that use the same Root
Certificate for both SSL and timestamping purposes. Of
course, the EV CodeSigning requirements also define some
rules for "EV Timestamp Authorities".<o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo3">
Section 6.1.7 of the Baseline Requirements states that the
Root CA Private Keys MUST NOT be used to sign end-entity
certificates with some exceptions. This exception list
does not specifically mention end-entity certificates with
EKU id-kp-timeStamping. Are Root CAs allowed to directly
issue end-entity certificates for timestamping authorities
(end-entity certificates with EKU only
id-kp-timeStamping)?<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo3">
Section 4.9.7 describes the CRL issuance frequency for
Subscriber and Subordinate CA Certificates. If there is a
Subordinate CA Certificate constrained with EKU
id-kp-timeStamping, is an end-entity certificate (with
only id-kp-timeStamping) issued from that subCA considered
a "Subscriber" Certificate? Should this subCA issue CRLs
every 7 days or every 12 months? My understanding
(according to section 1.1 of the BRs) is that the
end-entity certificates from that subCA are not required
to comply with the CA/B Forum BRs. This should allow the
CA to choose the CRL issuance (from that restricted
subCA), to exceed the 7-day requirement.<o:p></o:p></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Thank you in advance.<br>
<br>
<br>
Dimitris Zacharopoulos.<br>
<br>
<br>
<br>
<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>