[Cscwg-public] [EXTERNAL] Suspension of code signing certs
Adriano Santoni
adriano.santoni at staff.aruba.it
Tue Feb 2 16:47:29 UTC 2021
Thank you Bruce.
That answers my doubt, although indirectly, and I agree with your
interpretation.
I am not sure if it is worth to explicitate this in the CSBR ....
Adriano
Il 02/02/2021 14:56, Bruce Morton ha scritto:
>
> The CSBRs state, “Except where specifically stated or in the event of
> conflict in which case these Requirements will prevail, this document
> incorporates by reference the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates (“Baseline
> Requirements”), the Network and Certificate System Security
> Requirements and, in the case of EV Code Signing Certificates, the
> Guidelines For The Issuance And Management of Extended Validation
> Certificates as established by the CA/Browser Forum, copies of which
> are available on the CA/Browser Forum’s website at www.cabforum.org
> <http://www.cabforum.org>.”
>
> The CSBRs do not state any requirements about suspension of code
> signing certificates.
>
> BR 4.9.13 states, “The Repository MUST NOT include entries that
> indicate that a Certificate is suspended.”
>
> My conclusion is that suspension of code signing certificates is not
> supported by the CSBRs. If there is agreement, we could make an update
> to the CSBRs to make this clear.
>
> Bruce.
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of
> *Adriano Santoni via Cscwg-public
> *Sent:* Tuesday, February 2, 2021 4:38 AM
> *To:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Cscwg-public] Suspension of code signing certs
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know
> the content is safe.
>
> All,
>
> this is probably an old matter, but I could not solve my doubts
> browsing the past posts.
>
> I suppose, but I am not certain, that - as for SSL Server certificates
> - Code Signing certificates must not be suspended (that is, there must
> not be a CRLReason "certificateHold" in a CRL entry). But maybe I am
> wrong, as I cannot find the relevant language in the Code Signing BR.
> Anybody, please point me at the right spot in the document.
>
> TIA
>
> Adriano
>
> Il 01/02/2021 10:32, Dimitris Zacharopoulos (HARICA) via Cscwg-public
> ha scritto:
>
>
> According to the requirements, and section 13.2.1:
>
> "CAs MUST provide OCSP responses for Code Signing Certificates and
> Timestamp Certificates for the time period specified in their CPS,
> which MUST be at least 10 years after the expiration of the
> certificate"
>
> However, according to Certificate Consumer policies, either CRL or
> OCSP is required to be used.
>
> I would like to ask for Members to consider requiring either CRL
> or OCSP information to be required in end-entity certificates used
> for Time-stamping. The rationale is that Time-stamping
> Certificates are very few compared to other end-entity
> certificates and CRLs should be considered sufficient because
> their size is not significant.
>
> Please let me know your thoughts, concerns or objections.
>
>
> Thank you,
> Dimitris.
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org>
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
> <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210202/7e6fe4f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210202/7e6fe4f6/attachment.p7s>
More information about the Cscwg-public
mailing list