<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 8/9/2016 3:07 μμ, Bruce Morton
      wrote:<br>
    </div>
    <blockquote
cite="mid:ea8076166cf8438787eb6bc6b48cc6ec@PMSPEX04.corporate.datacard.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1534683772;
        mso-list-template-ids:-1313551512;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
            Dimitris,<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
            think the best document to use for Time-stamping Authority
            is the Minimum Requirements for Code Signing certificates,
            see
            <a moz-do-not-send="true"
href="https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf">https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf</a>.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks,
            Bruce.</span></p>
      </div>
    </blockquote>
    <br>
    Thank you Bruce, you helped me find answers related to my second
    question. I am not 100% sure if it answers my first question. The
    minimum requirements for code signing document, describes a scenario
    where there are explicit Subordinate CA Certificates for
    TimeStamping but there is no requirement that forbids end-entity
    certificates to be issued directly from the Root (at least not one I
    could spot straight away). <br>
    <br>
    I guess my 1st question is more focused on what is allowed under the
    currently approved CA/B Forum Baseline Requirements.<br>
    <br>
    <br>
    Best regards,<br>
    Dimitris.<br>
    <br>
    <br>
    <blockquote
cite="mid:ea8076166cf8438787eb6bc6b48cc6ec@PMSPEX04.corporate.datacard.com"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
                <a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
                [<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
                <b>On Behalf Of </b>Dimitris Zacharopoulos<br>
                <b>Sent:</b> Thursday, September 8, 2016 4:34 AM<br>
                <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                <b>Subject:</b> [cabfpub] Questions regarding
                timestamping certificates<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt">Hello
          everyone,<br>
          <br>
          We are setting up a new Timestamping Authority and we are
          looking for specific rules that apply to certificates and
          subCA Certificates related to timestamping. While reading
          various standards and the CA/B Forum documents, and after
          looking at various existing implementations of
          publicly-trusted CAs, I have some questions and would
          appreciate any feedback from the forum. Although the BRs apply
          to SSL certificates, some Root Certificates might be used for
          both SSL and timestamping services. So the questions that
          follow, apply to CAs that use the same Root Certificate for
          both SSL and timestamping purposes. Of course, the EV
          CodeSigning requirements also define some rules for "EV
          Timestamp Authorities".<o:p></o:p></p>
        <ol start="1" type="1">
          <li class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
            level1 lfo1">
            Section 6.1.7 of the Baseline Requirements states that the
            Root CA Private Keys MUST NOT be used to sign end-entity
            certificates with some exceptions. This exception list does
            not specifically mention end-entity certificates with EKU
            id-kp-timeStamping. Are Root CAs allowed to directly issue
            end-entity certificates for timestamping authorities
            (end-entity certificates with EKU only id-kp-timeStamping)?<o:p></o:p></li>
          <li class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
            level1 lfo1">
            Section 4.9.7 describes the CRL issuance frequency for
            Subscriber and Subordinate CA Certificates. If there is a
            Subordinate CA Certificate constrained with EKU
            id-kp-timeStamping, is an end-entity certificate (with only
            id-kp-timeStamping) issued from that subCA considered a
            "Subscriber" Certificate? Should this subCA issue CRLs every
            7 days or every 12 months? My understanding (according to
            section 1.1 of the BRs) is that the end-entity certificates
            from that subCA are not required to comply with the CA/B
            Forum BRs. This should allow the CA to choose the CRL
            issuance (from that restricted subCA), to exceed the 7-day
            requirement.<o:p></o:p></li>
        </ol>
        <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
          Thank you in advance.<br>
          <br>
          <br>
          Dimitris Zacharopoulos.<br>
          <br>
          <br>
          <o:p></o:p></p>
      </div>
    </blockquote>
    <br>
  </body>
</html>