[Cscwg-public] Follow-up on Time-stamp Authority Items

Bruce Morton Bruce.Morton at entrust.com
Fri Dec 17 18:20:44 UTC 2021

TSA Certificate Validity Period

  *   I did reach out to Oracle about revocation and time-stamping. The answer was that a signature is not trusted after the Code Signing certificate has expired or has been revoked. As such, even if the signature was time-stamped it would not be trusted if the Code Signing certificate is revoked or expired.

TSA Rekey every 15 months

  *   CSBR 9.4 states, "The Timestamp Authority MUST use a new Timestamp Certificate with a new private key no later than every 15 months to minimize the impact to users in the event that a Timestamp Certificate's private key is compromised. The validity for a Timestamp Certificate must not exceed 135 months. The Timestamp Certificate MUST meet the "Minimum Cryptographic Algorithm and Key Size Requirements" in Appendix A for the communicated time period."
  *   CSBR 16.1 (2) states, "A Timestamp Authority MUST protect its signing key using a process that is at least to FIPS 140-2 Level 3, Common Criteria EAL 4+ (ALC_FLR.2), or higher. The CA MUST protect its signing operations in accordance with the CA/Browser Forum's Network Security Guidelines. Any changes to its signing process MUST be an auditable event."
  *   QUESTION - Why do we need to change the TSA private key with 15 months if the private key is protected the same way as a CA key (i.e., FIPS 140-2 Level 3 and NetSec)?
  *   The discussion on the call is that a TSA certificate is a leaf certificate, but since the key is managed the same as a Subordinate CA it seems to be more like a CA certificate.

Open for comments.

Thanks, Bruce.
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211217/c909444a/attachment.html>

More information about the Cscwg-public mailing list