[Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for Authenticode TS

Dean Coclin dean.coclin at digicert.com
Fri Sep 11 09:35:54 MST 2020



To make the requested changes requires a ballot with 2 endorsers be
proposed. This will start a formal discussion period and a vote for the





From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Ian
McMillan via Cscwg-public
Sent: Friday, August 14, 2020 12:01 PM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for
Authenticode TS


Hi Folks,


We are recognizing that in the current Code Signing BRs (v2.0) is in need of
updating to account for support on Authenticode Timestamp countersignatures
with SHA-1 digest for legacy implementations. 


Currently, the Code Signing BR's v2.0 in Appendix A [3] Timestamp Tokens
calls for SHA-1 to no longer be allow post January 1, 2021. We recognize
this is in conflict with what Authenticode timestamps will require for
existing timestamping certificates issued prior to January 1, 2021 that
expire past the January 1, 2021 deadline. 


I would like to update the Appendix A (3) Timestamp Token to be:


                (3) Timestamp Tokens


The digest algorithms used to sign Timestamp tokens must match the digest
algorithm used to sign the Timestamp Certificate.



Generated prior to January 1, 2021

Generated on or after January 1, 2021

Digest algorithm

SHA-256, SHA-384 or SHA-512 (SHA-1 for legacy implementations only)*

SHA-256, SHA-384 or SHA-512 (SHA-1 for legacy implementations only until
April 30, 2022)


*CAs can issue SHA-1 certificates to legacy platforms that do not support
SHA-2 only for code signing and timestamping certificates.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200911/badaef2b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200911/badaef2b/attachment.p7s>

More information about the Cscwg-public mailing list