[Cscwg-public] [EXTERNAL] Suspension of code signing certs

Wed Feb 3 09:09:46 UTC 2021

What Dimitris is saying deserves consideration, IMO.

At any rate, the comparison between the two sets of requirements is made 
a bit difficult by their different articulation, as one is RFC3647-based 
while the other is not.

Adriano

Il 02/02/2021 18:01, Dimitris Zacharopoulos (HARICA) ha scritto:
>
> This interpretation is very risky because the BRs were not developed 
> with code signing in mind but with TLS Certificates. I believe the 
> working group should focus on finding areas that are in the BRs, don't 
> exist in the CSBRs but are considered meaningful for code signing 
> certificates and update the CSBRs. This will avoid any ambiguities 
> about the expectations and keep CAs and auditors focused on one 
> document with direct references to TLS BRs and EV Guidelines.
>
> For example, in 17.5 of the CSBRs, we have clear requirements for EV 
> Code Signing Certificates. Does this mean that 8.7 of the BRs applies 
> and this requirement is also applicable for the non-EV Code Signing 
> Certificates? One is explicitly called out and the other is implicit 
> according to this interpretation.
>
> Similarly for the CRL profile 
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#722-crl-and-crl-entry-extensions> 
> and many other cases. These were recent changes to the TLS BRs. Are 
> they implicit requirements for code signing certificates?
>
> I believe we should discuss and clarify this issue soon.
>
>
> Dimitris.
>
>
>
> On 2/2/2021 6:47 μ.μ., Adriano Santoni via Cscwg-public wrote:
>>
>> Thank you Bruce.
>>
>> That answers my doubt, although indirectly, and I agree with your 
>> interpretation.
>>
>> I am not sure if it is worth to explicitate this in the CSBR ....
>>
>> Adriano
>>
>>
>> Il 02/02/2021 14:56, Bruce Morton ha scritto:
>>>
>>> The CSBRs state, “Except where specifically stated or in the event 
>>> of conflict in which case these Requirements will prevail, this 
>>> document incorporates by reference the Baseline Requirements for the 
>>> Issuance and Management of Publicly-Trusted Certificates (“Baseline 
>>> Requirements”), the Network and Certificate System Security 
>>> Requirements and, in the case of EV Code Signing Certificates, the 
>>> Guidelines For The Issuance And Management of Extended Validation 
>>> Certificates as established by the CA/Browser Forum, copies of which 
>>> are available on the CA/Browser Forum’s website at www.cabforum.org 
>>> <http://www.cabforum.org>.”
>>>
>>> The CSBRs do not state any requirements about suspension of code 
>>> signing certificates.
>>>
>>> BR 4.9.13 states, “The Repository MUST NOT include entries that 
>>> indicate that a Certificate is suspended.”
>>>
>>> My conclusion is that suspension of code signing certificates is not 
>>> supported by the CSBRs. If there is agreement, we could make an 
>>> update to the CSBRs to make this clear.
>>>
>>> Bruce.
>>>
>>> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf 
>>> Of *Adriano Santoni via Cscwg-public
>>> *Sent:* Tuesday, February 2, 2021 4:38 AM
>>> *To:* cscwg-public at cabforum.org
>>> *Subject:* [EXTERNAL] [Cscwg-public] Suspension of code signing certs
>>>
>>> WARNING: This email originated outside of Entrust.
>>> DO NOT CLICK links or attachments unless you trust the sender and 
>>> know the content is safe.
>>>
>>> All,
>>>
>>> this is probably an old matter, but I could not solve my doubts 
>>> browsing the past posts.
>>>
>>> I suppose, but I am not certain, that - as for SSL Server 
>>> certificates - Code Signing certificates must not be suspended (that 
>>> is, there must not be a CRLReason "certificateHold" in a CRL entry). 
>>> But maybe I am wrong, as I cannot find the relevant language in the 
>>> Code Signing BR. Anybody, please point me at the right spot in the 
>>> document.
>>>
>>> TIA
>>>
>>> Adriano
>>>
>>> Il 01/02/2021 10:32, Dimitris Zacharopoulos (HARICA) via 
>>> Cscwg-public ha scritto:
>>>
>>>
>>>     According to the requirements, and section 13.2.1:
>>>
>>>     "CAs MUST provide OCSP responses for Code Signing Certificates
>>>     and Timestamp Certificates for the time period specified in
>>>     their CPS, which MUST be at least 10 years after the expiration
>>>     of the certificate"
>>>
>>>     However, according to Certificate Consumer policies, either CRL
>>>     or OCSP is required to be used.
>>>
>>>     I would like to ask for Members to consider requiring either CRL
>>>     or OCSP information to be required in end-entity certificates
>>>     used for Time-stamping. The rationale is that Time-stamping
>>>     Certificates are very few compared to other end-entity
>>>     certificates and CRLs should be considered sufficient because
>>>     their size is not significant.
>>>
>>>     Please let me know your thoughts, concerns or objections.
>>>
>>>
>>>     Thank you,
>>>     Dimitris.
>>>     _______________________________________________
>>>     Cscwg-public mailing list
>>>     Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org>
>>>     https://lists.cabforum.org/mailman/listinfo/cscwg-public
>>>     <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>>>
>>
>> _______________________________________________
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210203/0e89cfb4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210203/0e89cfb4/attachment.p7s>