[Cscwg-public] [EXTERNAL] Suspension of code signing certs
Adriano Santoni
adriano.santoni at staff.aruba.it
Wed Feb 3 09:09:46 UTC 2021
What Dimitris is saying deserves consideration, IMO.
At any rate, the comparison between the two sets of requirements is made
a bit difficult by their different articulation, as one is RFC3647-based
while the other is not.
Adriano
Il 02/02/2021 18:01, Dimitris Zacharopoulos (HARICA) ha scritto:
>
> This interpretation is very risky because the BRs were not developed
> with code signing in mind but with TLS Certificates. I believe the
> working group should focus on finding areas that are in the BRs, don't
> exist in the CSBRs but are considered meaningful for code signing
> certificates and update the CSBRs. This will avoid any ambiguities
> about the expectations and keep CAs and auditors focused on one
> document with direct references to TLS BRs and EV Guidelines.
>
> For example, in 17.5 of the CSBRs, we have clear requirements for EV
> Code Signing Certificates. Does this mean that 8.7 of the BRs applies
> and this requirement is also applicable for the non-EV Code Signing
> Certificates? One is explicitly called out and the other is implicit
> according to this interpretation.
>
> Similarly for the CRL profile
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#722-crl-and-crl-entry-extensions>
> and many other cases. These were recent changes to the TLS BRs. Are
> they implicit requirements for code signing certificates?
>
> I believe we should discuss and clarify this issue soon.
>
>
> Dimitris.
>
>
>
> On 2/2/2021 6:47 μ.μ., Adriano Santoni via Cscwg-public wrote:
>>
>> Thank you Bruce.
>>
>> That answers my doubt, although indirectly, and I agree with your
>> interpretation.
>>
>> I am not sure if it is worth to explicitate this in the CSBR ....
>>
>> Adriano
>>
>>
>> Il 02/02/2021 14:56, Bruce Morton ha scritto:
>>>
>>> The CSBRs state, “Except where specifically stated or in the event
>>> of conflict in which case these Requirements will prevail, this
>>> document incorporates by reference the Baseline Requirements for the
>>> Issuance and Management of Publicly-Trusted Certificates (“Baseline
>>> Requirements”), the Network and Certificate System Security
>>> Requirements and, in the case of EV Code Signing Certificates, the
>>> Guidelines For The Issuance And Management of Extended Validation
>>> Certificates as established by the CA/Browser Forum, copies of which
>>> are available on the CA/Browser Forum’s website at www.cabforum.org
>>> <http://www.cabforum.org>.”
>>>
>>> The CSBRs do not state any requirements about suspension of code
>>> signing certificates.
>>>
>>> BR 4.9.13 states, “The Repository MUST NOT include entries that
>>> indicate that a Certificate is suspended.”
>>>
>>> My conclusion is that suspension of code signing certificates is not
>>> supported by the CSBRs. If there is agreement, we could make an
>>> update to the CSBRs to make this clear.
>>>
>>> Bruce.
>>>
>>> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf
>>> Of *Adriano Santoni via Cscwg-public
>>> *Sent:* Tuesday, February 2, 2021 4:38 AM
>>> *To:* cscwg-public at cabforum.org
>>> *Subject:* [EXTERNAL] [Cscwg-public] Suspension of code signing certs
>>>
>>> WARNING: This email originated outside of Entrust.
>>> DO NOT CLICK links or attachments unless you trust the sender and
>>> know the content is safe.
>>>
>>> All,
>>>
>>> this is probably an old matter, but I could not solve my doubts
>>> browsing the past posts.
>>>
>>> I suppose, but I am not certain, that - as for SSL Server
>>> certificates - Code Signing certificates must not be suspended (that
>>> is, there must not be a CRLReason "certificateHold" in a CRL entry).
>>> But maybe I am wrong, as I cannot find the relevant language in the
>>> Code Signing BR. Anybody, please point me at the right spot in the
>>> document.
>>>
>>> TIA
>>>
>>> Adriano
>>>
>>> Il 01/02/2021 10:32, Dimitris Zacharopoulos (HARICA) via
>>> Cscwg-public ha scritto:
>>>
>>>
>>> According to the requirements, and section 13.2.1:
>>>
>>> "CAs MUST provide OCSP responses for Code Signing Certificates
>>> and Timestamp Certificates for the time period specified in
>>> their CPS, which MUST be at least 10 years after the expiration
>>> of the certificate"
>>>
>>> However, according to Certificate Consumer policies, either CRL
>>> or OCSP is required to be used.
>>>
>>> I would like to ask for Members to consider requiring either CRL
>>> or OCSP information to be required in end-entity certificates
>>> used for Time-stamping. The rationale is that Time-stamping
>>> Certificates are very few compared to other end-entity
>>> certificates and CRLs should be considered sufficient because
>>> their size is not significant.
>>>
>>> Please let me know your thoughts, concerns or objections.
>>>
>>>
>>> Thank you,
>>> Dimitris.
>>> _______________________________________________
>>> Cscwg-public mailing list
>>> Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org>
>>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>>> <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>>>
>>
>> _______________________________________________
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210203/0e89cfb4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210203/0e89cfb4/attachment.p7s>
More information about the Cscwg-public
mailing list