[Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for Authenticode TS

Tim Hollebeek tim.hollebeek at digicert.com
Fri Sep 18 13:32:47 MST 2020


Ok, thanks for confirming.  Just need one more endorser.

 

-Tim

 

From: Ian McMillan <ianmcm at microsoft.com> 
Sent: Friday, September 18, 2020 4:26 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; Dean Coclin
<dean.coclin at digicert.com>; cscwg-public at cabforum.org
Subject: RE: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest
for Authenticode TS

 

That date is spot on (2022 was intended). If I can endorse, you can count on
me.

 

Thanks,

Ian 

 

From: Tim Hollebeek <tim.hollebeek at digicert.com
<mailto:tim.hollebeek at digicert.com> > 
Sent: Friday, September 18, 2020 1:16 PM
To: Ian McMillan <ianmcm at microsoft.com <mailto:ianmcm at microsoft.com> >; Dean
Coclin <dean.coclin at digicert.com <mailto:dean.coclin at digicert.com> >;
cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [EXTERNAL] RE: [Cscwg-public] Timestamp Tokens (Appendix A [3]) -
SHA1 digest for Authenticode TS

 

Also, on dates, I tried to align them, but then noticed at the end that the
Timestamp Token date is in 2022, not 2021.  Assuming that's intended, it
sounds like the current proposals are:

 

RSA-3072                           June 1, 2021

TS Toks (SHA-1)                April 30, 2022

 

Once I have two endorsers, I'll post an actual ballot with those dates.

 

-Tim

 

From: Ian McMillan <ianmcm at microsoft.com <mailto:ianmcm at microsoft.com> > 
Sent: Friday, September 18, 2020 3:36 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com
<mailto:tim.hollebeek at digicert.com> >; Dean Coclin <dean.coclin at digicert.com
<mailto:dean.coclin at digicert.com> >; cscwg-public at cabforum.org
<mailto:cscwg-public at cabforum.org> 
Subject: RE: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest
for Authenticode TS

 

Thank you Tim! That would be great. 

 

I didn't hear any issues with this update for the Timestamp Tokens, so I'd
like move forward with it to relief that Jan 1 pressure.

 

Thanks,
Ian

 

From: Tim Hollebeek <tim.hollebeek at digicert.com
<mailto:tim.hollebeek at digicert.com> > 
Sent: Friday, September 18, 2020 10:43 AM
To: Dean Coclin <dean.coclin at digicert.com <mailto:dean.coclin at digicert.com>
>; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> ; Ian
McMillan <ianmcm at microsoft.com <mailto:ianmcm at microsoft.com> >
Subject: [EXTERNAL] RE: [Cscwg-public] Timestamp Tokens (Appendix A [3]) -
SHA1 digest for Authenticode TS

 

Ian,

 

I would be happy to add this change to the RSA-3072 ballot if there is
consensus to do so.

 

-Tim

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org
<mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Dean Coclin via
Cscwg-public
Sent: Friday, September 11, 2020 12:36 PM
To: Ian McMillan <ianmcm at microsoft.com <mailto:ianmcm at microsoft.com> >;
cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: Re: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest
for Authenticode TS

 

Ian,

 

To make the requested changes requires a ballot with 2 endorsers be
proposed. This will start a formal discussion period and a vote for the
change.

 

Thanks

Dean

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org
<mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Ian McMillan via
Cscwg-public
Sent: Friday, August 14, 2020 12:01 PM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [Cscwg-public] Timestamp Tokens (Appendix A [3]) - SHA1 digest for
Authenticode TS

 

Hi Folks,

 

We are recognizing that in the current Code Signing BRs (v2.0) is in need of
updating to account for support on Authenticode Timestamp countersignatures
with SHA-1 digest for legacy implementations. 

 

Currently, the Code Signing BR's v2.0 in Appendix A [3] Timestamp Tokens
calls for SHA-1 to no longer be allow post January 1, 2021. We recognize
this is in conflict with what Authenticode timestamps will require for
existing timestamping certificates issued prior to January 1, 2021 that
expire past the January 1, 2021 deadline. 

 

I would like to update the Appendix A (3) Timestamp Token to be:

 

                (3) Timestamp Tokens

 

The digest algorithms used to sign Timestamp tokens must match the digest
algorithm used to sign the Timestamp Certificate.

 


 

Generated prior to January 1, 2021

Generated on or after January 1, 2021


Digest algorithm

SHA-256, SHA-384 or SHA-512 (SHA-1 for legacy implementations only)*

SHA-256, SHA-384 or SHA-512 (SHA-1 for legacy implementations only until
April 30, 2022)

 

*CAs can issue SHA-1 certificates to legacy platforms that do not support
SHA-2 only for code signing and timestamping certificates.

 

 Cheers, 

Ian 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200918/bc6d19ca/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200918/bc6d19ca/attachment-0001.p7s>


More information about the Cscwg-public mailing list