[Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for Authenticode TS

Ian McMillan ianmcm at microsoft.com
Fri Sep 18 12:36:00 MST 2020


Thank you Tim! That would be great.

I didn't hear any issues with this update for the Timestamp Tokens, so I'd like move forward with it to relief that Jan 1 pressure.

Thanks,
Ian

From: Tim Hollebeek <tim.hollebeek at digicert.com>
Sent: Friday, September 18, 2020 10:43 AM
To: Dean Coclin <dean.coclin at digicert.com>; cscwg-public at cabforum.org; Ian McMillan <ianmcm at microsoft.com>
Subject: [EXTERNAL] RE: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for Authenticode TS

Ian,

I would be happy to add this change to the RSA-3072 ballot if there is consensus to do so.

-Tim

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Dean Coclin via Cscwg-public
Sent: Friday, September 11, 2020 12:36 PM
To: Ian McMillan <ianmcm at microsoft.com<mailto:ianmcm at microsoft.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: Re: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for Authenticode TS

Ian,

To make the requested changes requires a ballot with 2 endorsers be proposed. This will start a formal discussion period and a vote for the change.

Thanks
Dean

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Ian McMillan via Cscwg-public
Sent: Friday, August 14, 2020 12:01 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for Authenticode TS

Hi Folks,

We are recognizing that in the current Code Signing BRs (v2.0) is in need of updating to account for support on Authenticode Timestamp countersignatures with SHA-1 digest for legacy implementations.

Currently, the Code Signing BR's v2.0 in Appendix A [3] Timestamp Tokens calls for SHA-1 to no longer be allow post January 1, 2021. We recognize this is in conflict with what Authenticode timestamps will require for existing timestamping certificates issued prior to January 1, 2021 that expire past the January 1, 2021 deadline.

I would like to update the Appendix A (3) Timestamp Token to be:

                (3) Timestamp Tokens

The digest algorithms used to sign Timestamp tokens must match the digest algorithm used to sign the Timestamp Certificate.


Generated prior to January 1, 2021
Generated on or after January 1, 2021
Digest algorithm
SHA-256, SHA-384 or SHA-512 (SHA-1 for legacy implementations only)*
SHA-256, SHA-384 or SHA-512 (SHA-1 for legacy implementations only until April 30, 2022)

*CAs can issue SHA-1 certificates to legacy platforms that do not support SHA-2 only for code signing and timestamping certificates.

 Cheers,
Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200918/86a6f705/attachment.html>


More information about the Cscwg-public mailing list