[Cscwg-public] [EXTERNAL] Suspension of code signing certs

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Feb 2 17:01:59 UTC 2021 

This interpretation is very risky because the BRs were not developed 
with code signing in mind but with TLS Certificates. I believe the 
working group should focus on finding areas that are in the BRs, don't 
exist in the CSBRs but are considered meaningful for code signing 
certificates and update the CSBRs. This will avoid any ambiguities about 
the expectations and keep CAs and auditors focused on one document with 
direct references to TLS BRs and EV Guidelines.

For example, in 17.5 of the CSBRs, we have clear requirements for EV 
Code Signing Certificates. Does this mean that 8.7 of the BRs applies 
and this requirement is also applicable for the non-EV Code Signing 
Certificates? One is explicitly called out and the other is implicit 
according to this interpretation.

Similarly for the CRL profile 
<https://github.com/cabforum/servercert/blob/main/docs/BR.md#722-crl-and-crl-entry-extensions> 
and many other cases. These were recent changes to the TLS BRs. Are they 
implicit requirements for code signing certificates?

I believe we should discuss and clarify this issue soon.


Dimitris.



On 2/2/2021 6:47 μ.μ., Adriano Santoni via Cscwg-public wrote:
>
> Thank you Bruce.
>
> That answers my doubt, although indirectly, and I agree with your 
> interpretation.
>
> I am not sure if it is worth to explicitate this in the CSBR ....
>
> Adriano
>
>
> Il 02/02/2021 14:56, Bruce Morton ha scritto:
>>
>> The CSBRs state, “Except where specifically stated or in the event of 
>> conflict in which case these Requirements will prevail, this document 
>> incorporates by reference the Baseline Requirements for the Issuance 
>> and Management of Publicly-Trusted Certificates (“Baseline 
>> Requirements”), the Network and Certificate System Security 
>> Requirements and, in the case of EV Code Signing Certificates, the 
>> Guidelines For The Issuance And Management of Extended Validation 
>> Certificates as established by the CA/Browser Forum, copies of which 
>> are available on the CA/Browser Forum’s website at www.cabforum.org 
>> <http://www.cabforum.org>.”
>>
>> The CSBRs do not state any requirements about suspension of code 
>> signing certificates.
>>
>> BR 4.9.13 states, “The Repository MUST NOT include entries that 
>> indicate that a Certificate is suspended.”
>>
>> My conclusion is that suspension of code signing certificates is not 
>> supported by the CSBRs. If there is agreement, we could make an 
>> update to the CSBRs to make this clear.
>>
>> Bruce.
>>
>> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf 
>> Of *Adriano Santoni via Cscwg-public
>> *Sent:* Tuesday, February 2, 2021 4:38 AM
>> *To:* cscwg-public at cabforum.org
>> *Subject:* [EXTERNAL] [Cscwg-public] Suspension of code signing certs
>>
>> WARNING: This email originated outside of Entrust.
>> DO NOT CLICK links or attachments unless you trust the sender and 
>> know the content is safe.
>>
>> All,
>>
>> this is probably an old matter, but I could not solve my doubts 
>> browsing the past posts.
>>
>> I suppose, but I am not certain, that - as for SSL Server 
>> certificates - Code Signing certificates must not be suspended (that 
>> is, there must not be a CRLReason "certificateHold" in a CRL entry). 
>> But maybe I am wrong, as I cannot find the relevant language in the 
>> Code Signing BR. Anybody, please point me at the right spot in the 
>> document.
>>
>> TIA
>>
>> Adriano
>>
>> Il 01/02/2021 10:32, Dimitris Zacharopoulos (HARICA) via Cscwg-public 
>> ha scritto:
>>
>>
>>     According to the requirements, and section 13.2.1:
>>
>>     "CAs MUST provide OCSP responses for Code Signing Certificates
>>     and Timestamp Certificates for the time period specified in their
>>     CPS, which MUST be at least 10 years after the expiration of the
>>     certificate"
>>
>>     However, according to Certificate Consumer policies, either CRL
>>     or OCSP is required to be used.
>>
>>     I would like to ask for Members to consider requiring either CRL
>>     or OCSP information to be required in end-entity certificates
>>     used for Time-stamping. The rationale is that Time-stamping
>>     Certificates are very few compared to other end-entity
>>     certificates and CRLs should be considered sufficient because
>>     their size is not significant.
>>
>>     Please let me know your thoughts, concerns or objections.
>>
>>
>>     Thank you,
>>     Dimitris.
>>     _______________________________________________
>>     Cscwg-public mailing list
>>     Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org>
>>     https://lists.cabforum.org/mailman/listinfo/cscwg-public
>>     <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210202/7d1074aa/attachment-0001.html>

More information about the Cscwg-public mailing list