<div dir="ltr"><div>Just a few thoughts to move this conversation forward, and speaking as a CSCWG interested party and not to advocate any position of Mozilla, I think the answer depends on how strict or flexible the CABF wants to be as an organization when it comes to interpreting the scope of a working group charter.</div><div><br></div><div></div><div>It seems that the mention of time stamping in a code signing work product would be allowed even under a strict interpretation. While creating standards for issuing and managing time stamping certificates would certainly be out of scope with a flexible interpretation.
</div><div><br></div><div>The Scope in the Charter does not expressly include or exclude the assignment of a time stamping OID for time stamping certificates.</div><div><a href="https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope" target="_blank">https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope</a></div><div><br></div><div>Included in the scope is "Version 1.0 Draft of November 19, 2015, Baseline Requirements for the
Issuance and Management of Publicly-Trusted Code Signing Certificates
(subject to the CSCWG making a written finding that the provenance of
such document is sufficiently covered by the Forum’s IPR Policy)." Time stamping was discussed in that draft, and I recall that the CSCWG did make the required written finding of provenance. Is the assignment of a timestamping OID a logical outcome of the continued work on that earlier document?</div><div><br></div><div>Ben<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 19, 2021 at 2:31 PM Dean Coclin via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div><p class="MsoNormal">A discussion on last week’s CA/B call about code signing and time stamping brought up a question as to whether the latter was in scope of the CSCWG charter (<a href="https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/" target="_blank">https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/</a>). <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Bruce said there was no CP OID for time stamping and that the group wanted to create one IAW with the CA/B Forum registry. Ryan was concerned that this was outside the CSCWG charter as it was not specifically mentioned therein. Dimitris commented that it was included in charter scope 1a which pulls in the EV CS guidelines where time stamping is specified. Ryan did not seem convinced and asked that the discussion continue on the list. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The working group has not had a chance to discuss this since the Forum meeting but plans to do so on the next call. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I’ve included the CS Public list on this thread since the topic is of interest to members/observers there. If a respondent does not have posting rights, I can re-post for them.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Dean<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/public</a><br>
</blockquote></div>