[Cscwg-public] Requirement for OCSP in Timestamping Certificates

Corey Bonnell Corey.Bonnell at digicert.com
Mon Feb 8 15:18:01 UTC 2021


Hi Dimitris,
I agree that the number of end-entity timestamp responder certificates
issued from a given timestamping ICA is generally low so CRLs should be of
reasonable size for direct consumption by client software. However, I want
to note that in addition to the section in the CSBRs that you noted,
Microsoft Root Program [1] requirement 3.A.5 specifies that all end-entity
certificates must contain an AIA OCSP pointer. Given this, the Microsoft
Root Program requirements will need to be relaxed for at least end-entity
timestamp responder certificates, in addition to any changes made in the
CSBRs.

Thanks,
Corey

[1]
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements

-----Original Message-----
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris
Zacharopoulos (HARICA) via Cscwg-public
Sent: Monday, February 1, 2021 4:32 AM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] Requirement for OCSP in Timestamping Certificates


According to the requirements, and section 13.2.1:

"CAs MUST provide OCSP responses for Code Signing Certificates and Timestamp
Certificates for the time period specified in their CPS, which MUST be at
least 10 years after the expiration of the certificate"

However, according to Certificate Consumer policies, either CRL or OCSP is
required to be used.

I would like to ask for Members to consider requiring either CRL or OCSP
information to be required in end-entity certificates used for
Time-stamping. The rationale is that Time-stamping Certificates are very few
compared to other end-entity certificates and CRLs should be considered
sufficient because their size is not significant.

Please let me know your thoughts, concerns or objections.


Thank you,
Dimitris.
_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210208/f0bd9d23/attachment-0001.p7s>


More information about the Cscwg-public mailing list