[Cscwg-public] Requirement for OCSP in Timestamping Certificates

Fri Feb 12 01:29:37 UTC 2021

To follow up here as we discussed today in the WG meeting, I will be looking into timestamping certificates usage of OSCP with our TRP team and platform integrity folks to understand the history and behaviors. I will update you all what I find in the next CSCWG call. 

Thanks,
Ian 

-----Original Message-----
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Corey Bonnell via Cscwg-public
Sent: Monday, February 8, 2021 7:18 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; cscwg-public at cabforum.org
Subject: [EXTERNAL] Re: [Cscwg-public] Requirement for OCSP in Timestamping Certificates

Hi Dimitris,
I agree that the number of end-entity timestamp responder certificates issued from a given timestamping ICA is generally low so CRLs should be of reasonable size for direct consumption by client software. However, I want to note that in addition to the section in the CSBRs that you noted, Microsoft Root Program [1] requirement 3.A.5 specifies that all end-entity certificates must contain an AIA OCSP pointer. Given this, the Microsoft Root Program requirements will need to be relaxed for at least end-entity timestamp responder certificates, in addition to any changes made in the CSBRs.

Thanks,
Corey

[1]
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsecurity%2Ftrusted-root%2Fprogram-requirements&data=04%7C01%7Cianmcm%40microsoft.com%7Cef482354ce7e49f3d0d308d8cc44c074%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637483942973676408%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YT5v0uCR%2BWBmFsml76AeZCcCOVdBnPBTuz9U7UoN1i8%3D&reserved=0

-----Original Message-----
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Monday, February 1, 2021 4:32 AM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] Requirement for OCSP in Timestamping Certificates

According to the requirements, and section 13.2.1:

"CAs MUST provide OCSP responses for Code Signing Certificates and Timestamp Certificates for the time period specified in their CPS, which MUST be at least 10 years after the expiration of the certificate"

However, according to Certificate Consumer policies, either CRL or OCSP is required to be used.

I would like to ask for Members to consider requiring either CRL or OCSP information to be required in end-entity certificates used for Time-stamping. The rationale is that Time-stamping Certificates are very few compared to other end-entity certificates and CRLs should be considered sufficient because their size is not significant.

Please let me know your thoughts, concerns or objections.

Thank you,
Dimitris.
_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cef482354ce7e49f3d0d308d8cc44c074%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637483942973676408%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OWNFf%2FpYxBzCdzcGI%2Btjb%2FNYksPqKb2GcaWL%2FFZhq00%3D&reserved=0