[Cscwg-public] Requirement for OCSP in Timestamping Certificates
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Mon Feb 8 15:37:38 UTC 2021
Thanks Corey,
I reviewed that section before posting here. My recollection of this
requirement goes back to when it was introduced by Microsoft, under Jody
Cloutier. This requirement for "end-entities" was meant to point to
"Subscriber Certificates" which timestamping certificates are not.
Policy-wise, timestamping certificates are generally treated as CA
Certificates so the last sentence should apply to them:
/"All other certificate types must contain either an AIA extension with
an OCSP URL or a CDP extension with a valid CRL URL"./
Can our colleagues from Microsoft please clarify the intent of this
requirement?
Thank you,
Dimitris.
On 8/2/2021 5:18 μ.μ., Corey Bonnell wrote:
> Hi Dimitris,
> I agree that the number of end-entity timestamp responder certificates
> issued from a given timestamping ICA is generally low so CRLs should be of
> reasonable size for direct consumption by client software. However, I want
> to note that in addition to the section in the CSBRs that you noted,
> Microsoft Root Program [1] requirement 3.A.5 specifies that all end-entity
> certificates must contain an AIA OCSP pointer. Given this, the Microsoft
> Root Program requirements will need to be relaxed for at least end-entity
> timestamp responder certificates, in addition to any changes made in the
> CSBRs.
>
> Thanks,
> Corey
>
> [1]
> https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
>
> -----Original Message-----
> From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris
> Zacharopoulos (HARICA) via Cscwg-public
> Sent: Monday, February 1, 2021 4:32 AM
> To: cscwg-public at cabforum.org
> Subject: [Cscwg-public] Requirement for OCSP in Timestamping Certificates
>
>
> According to the requirements, and section 13.2.1:
>
> "CAs MUST provide OCSP responses for Code Signing Certificates and Timestamp
> Certificates for the time period specified in their CPS, which MUST be at
> least 10 years after the expiration of the certificate"
>
> However, according to Certificate Consumer policies, either CRL or OCSP is
> required to be used.
>
> I would like to ask for Members to consider requiring either CRL or OCSP
> information to be required in end-entity certificates used for
> Time-stamping. The rationale is that Time-stamping Certificates are very few
> compared to other end-entity certificates and CRLs should be considered
> sufficient because their size is not significant.
>
> Please let me know your thoughts, concerns or objections.
>
>
> Thank you,
> Dimitris.
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210208/a98c13ab/attachment.html>
More information about the Cscwg-public
mailing list