<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
Well, considering that Adobe is not currently a CABF member, I see
no context wherein time stamping plays a role, other than code
signing.<br>
<br>
Adobe already trusts qualified time stamping providers (according to
EU regulations) based on the EU trust lists, in the context of
Document Signing, and I am not aware that they may want to also
trust time stamps based on different criteria.<br>
<p><br>
</p>
In theory, time stamping could be used to extend the validity of an
S/MIME signature beyond the signing certificate's expiration, but
there is no S/MIME client supporting this, and no plans to support
it in the future, so this is just theory. After all, S/MIME
signatures are not meant for the long-term.<br>
<p><br>
</p>
<p>Is there any other context that I am overlooking?</p>
<p><br>
</p>
Adriano<br>
<br>
<p><br>
</p>
<div class="moz-cite-prefix">Il 29/04/2021 11:07, Rob Stradling via
Public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:010001791ce27f33-10971afe-9e09-4f87-ac78-2ac0a1a0a93c-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Could it be argued, at least conceptually, that there should be
a separate CABForum working group dedicated entirely to Time
Stamping? After all, the Code Signing ecosystem doesn't have a
monopoly on Time Stamping. For example, Adobe software uses
Time Stamping in the context of Document Signing. If Adobe
wanted to collaborate with CABForum members on Time Stamping
certificate profiles, what (assuming Adobe had no interest in
Code Signing) would be the best venue for that?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
(Please note: I'm not advocating any position here; I'm just
thinking aloud).</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Cscwg-public <a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> on
behalf of Bruce Morton via Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a><br>
<b>Sent:</b> 26 April 2021 14:18<br>
<b>To:</b> Ben Wilson <a class="moz-txt-link-rfc2396E" href="mailto:bwilson@mozilla.com"><bwilson@mozilla.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a>;
Dean Coclin <a class="moz-txt-link-rfc2396E" href="mailto:dean.coclin@digicert.com"><dean.coclin@digicert.com></a>; CA/Browser
Forum Public Discussion List <a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: [cabfpub]
Code signing and Time stamping</font>
<div> </div>
</div>
<div style="word-wrap:break-word" lang="EN-US">
<div style="background-color:#FAFA03; width:100%;
border-style:solid; border-color:#000000; border-width:1pt;
padding:2pt; font-size:10pt; line-height:12pt;
font-family:'Calibri'; color:Black; text-align:left">
<span style="color:000000">CAUTION:</span> This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.</div>
<br>
<div>
<div class="x_WordSection1">
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
To follow up, the CSCWG charter includes the following
documents:</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
a. EV Code Signing Guidelines, v. 1.4 and subsequent
versions</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
b. Version 1.0 Draft of November 19, 2015, Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Code Signing Certificates (subject to
the CSCWG making a written finding that the provenance
of such document is sufficiently covered by the Forum’s
IPR Policy)</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
The documents define requirements or reference:
timestamp authority (TSA), timestamps, timestamp
implementation method, timestamp certificate, timestamp
signed objects, TSA logging, and timestamp key
protection. The documents also define the certificate
profiles for timestamp root, timestamp subordinate CA
and timestamp authority. As such, the CSCWG has
considered it is in scope to manage these documents and
the requirements associated to allow timestamp
signatures with code signed using certificates
conforming to the CSBRs.</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
The CSBRs also state, “CAs complying with these
Requirements MAY also assert the reserved policy OIDs in
such Certificates.” The reserved policy OIDs reference
those required for Non-EV and EV code signing
certificates. The CSBRs do not reference an OID for a
timestamp certificate, since the OID has not been
reserved. It is also considered appropriate to use all
applicable reserved certificate policy OIDs as we
consider deploying dedicated PKI hierarchies to support
code signing.</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
As such, the CSCWG plans to add the following reserved
certificate policy OID to the CSBRs, which may be
included in a timestamp certificate, which meets the
requirements of the CSBRs:</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
{joint-iso-itu-t(2) international-organizations(23)
ca-browser-forum(140) certificate-policies(1)
code-signing-requirements(4) timestamping(2)}
(2.23.140.1.4.2)</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
Bruce.</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<div style="border:none; border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<b>From:</b> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On
Behalf Of </b>
Ben Wilson via Cscwg-public<br>
<b>Sent:</b> Tuesday, April 20, 2021 12:09 PM<br>
<b>To:</b> Dean Coclin
<a class="moz-txt-link-rfc2396E" href="mailto:dean.coclin@digicert.com"><dean.coclin@digicert.com></a>; CA/Browser Forum
Public Discussion List <a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public]
[cabfpub] Code signing and Time stamping</p>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.</p>
<div class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;text-align:center" align="center">
<hr width="100%" size="2" align="center">
</div>
<div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
Just a few thoughts to move this conversation
forward, and speaking as a CSCWG interested party
and not to advocate any position of Mozilla, I think
the answer depends on how strict or flexible the
CABF wants to be as an organization when it comes to
interpreting the scope of a working group charter.</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
It seems that the mention of time stamping in a code
signing work product would be allowed even under a
strict interpretation. While creating standards for
issuing and managing time stamping certificates
would certainly be out of scope with a flexible
interpretation.
</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
The Scope in the Charter does not expressly include
or exclude the assignment of a time stamping OID for
time stamping certificates.</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fcabforum.org%2F2019%2F03%2F26%2Fcode-signing-certificate-wg-charter%2F*1-Scope__%3BIw!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-Y764wXA%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087360682%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=On%2FYLtGShUwaWS%2FOYXT0aqM7HYc7PBpRLxglLEMhWN0%3D&reserved=0"
originalsrc="https://urldefense.com/v3/__https:/cabforum.org/2019/03/26/code-signing-certificate-wg-charter/*1-Scope__;Iw!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-Y764wXA$"
shash="EFgPFVvUA3+dyMQN53FGfmPmUEiZ85pj6W3UPXmW3tdxwbWP7YnmfLfJ2IWQEMEPk/0GEbc2XdmC15I4ST7xoB658FCdRSSf5yDNe5CtGIQcnfTqB4q1SCtiAESoR2PTNwTR//ujOHkuMAw/4ZLaCcEAYnMZAYKvFxipcc2dfjM="
target="_blank" moz-do-not-send="true">https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope</a></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
Included in the scope is "Version 1.0 Draft of
November 19, 2015, Baseline Requirements for the
Issuance and Management of Publicly-Trusted Code
Signing Certificates (subject to the CSCWG making a
written finding that the provenance of such document
is sufficiently covered by the Forum’s IPR
Policy)." Time stamping was discussed in that
draft, and I recall that the CSCWG did make the
required written finding of provenance. Is the
assignment of a timestamping OID a logical outcome
of the continued work on that earlier document?</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
Ben</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
On Mon, Apr 19, 2021 at 2:31 PM Dean Coclin via
Public <<a href="mailto:public@cabforum.org"
target="_blank" moz-do-not-send="true">public@cabforum.org</a>>
wrote:</p>
</div>
<blockquote style="border:none; border-left:solid
#CCCCCC 1.0pt; padding:0in 0in 0in 6.0pt;
margin-left:4.8pt; margin-right:0in">
<div>
<div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
A discussion on last week’s CA/B call about code
signing and time stamping brought up a question
as to whether the latter was in scope of the
CSCWG charter (<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fcabforum.org%2F2019%2F03%2F26%2Fcode-signing-certificate-wg-charter%2F__%3B!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-wNVdJJQ%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087370641%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hife2VbpDtPAJlkwyMrVvFS%2Btf3CL78iZCa7Ah6iACk%3D&reserved=0"
originalsrc="https://urldefense.com/v3/__https:/cabforum.org/2019/03/26/code-signing-certificate-wg-charter/__;!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-wNVdJJQ$"
shash="QaRLvWSLZ4gPIgVFhOJRw5jrV28ADB+SfnzyItk20lsLJjjXdHPDwJvTZ9RHuPG0to39eFYtOvTBhHKM0DY+kDUhK90CKmPxH9UEd90aUayauf9SMwq3VHcwd+aTSjnuH7sVG2MeVcY7omBmEYGMm0aruJBddbca5PZCXiL6r4w="
target="_blank" moz-do-not-send="true">https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/</a>).
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
Bruce said there was no CP OID for time stamping
and that the group wanted to create one IAW with
the CA/B Forum registry. Ryan was concerned that
this was outside the CSCWG charter as it was not
specifically mentioned therein. Dimitris
commented that it was included in charter scope
1a which pulls in the EV CS guidelines where
time stamping is specified. Ryan did not seem
convinced and asked that the discussion continue
on the list.
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
The working group has not had a chance to
discuss this since the Forum meeting but plans
to do so on the next call.
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
I’ve included the CS Public list on this thread
since the topic is of interest to
members/observers there. If a respondent does
not have posting rights, I can re-post for them.</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
Dean</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
</p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank"
moz-do-not-send="true">Public@cabforum.org</a><br>
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fpublic__%3B!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-PBR_9ZU%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087370641%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XkyrmSZpATznL0Ry%2Bs8TxfVdsrosYWJPcmJaZnLRydo%3D&reserved=0"
originalsrc="https://urldefense.com/v3/__https:/lists.cabforum.org/mailman/listinfo/public__;!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-PBR_9ZU$"
shash="TsvoUVKOj92K2TD5dnHxI+eG4Ra177kCGYeMe+k2rY7Q4+tiPglojTiXzZeI0RVCen2kiMKw1spyayIM1RJPIR6iERkXWECrM51vo2JymGkKwmPk4eg4LP9rK1WMMp+z6sNPGayzq5ul87EU0pqDjyCAv1Q60DeO+ZbSl3moj+g="
target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/public</a></p>
</blockquote>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/public">https://lists.cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
</body>
</html>