[Cscwg-public] F2F Minutes

Tue Mar 2 22:44:54 UTC 2021

Hello Bruce,

Thank you for the immediate response.

In my understanding, if some TSA has a long validity TSA

certificate and uses its private key until TSA certificate

expiration,  verifiable duration is getting shorter and shorter.

And furthermore, the risk of key compromise will increase

by using the private key for long time.

The purpose of Timestamp is to provide the capability of

verification of signed object  after the expiration of code 

signing certificate for a certain period of time.

So, to accomplish the purpose of timestamp,

following process has been considered. 

-TSA certificate has 135 months validity, 

-its private key can be used only for 15 months,

-TSA certificate is used only for timestamp verification 

after ceasing to use its private key,

-by doing this every year, at least 10 years capability of

timestamp verification can be maintained all the time,

Due to the above reasons, I think that the max 15 months

TSA certificate validity period is too short.

In other words, long validity of TSA certificate and 

shortened usage period of its private key would be considered. 

Please for give me if my understanding is not correct.

Kind regards,

Atsushi Inaba

―――――――――――――――――――――――――――――

GMO GlobalSign K.K.

Business Planning

Atsushi Inaba

1-2-3, Dogenzaka, Shibuya Ku, Tokyo, Japan

150-0043

TEL: +81-3-6370-6671

FAX: +81-3-6370-6505

E-MAIL: atsushi.inaba at globalsign.com

URL:https://jp.globalsign.com/

―――――――――――――――――――――――――――――

THANK YOU 25 YEARS Internet for Everyone

―――――――――――――――――――――――――――――

■ GMO INTERNET GROUP ■ http://www.gmo.jp/

―――――――――――――――――――――――――――――

This e-mail message is intended to be conveyed only to the 

designated recipient(s). If you are NOT the intended 

recipient(s) of this e-mail, please kindly notify the sender 

immediately and delete the original message from your system.

From: Bruce Morton <Bruce.Morton at entrust.com> 
Sent: Wednesday, March 3, 2021 5:02 AM
To: Atsushi Inaba <atsushi.inaba at globalsign.com>; cscwg-public at cabforum.org
Subject: RE: F2F Minutes

Moved to public list.

The CSBRs state, “The Timestamp Authority MUST use a new Timestamp
Certificate with a new private key no later than every 15 months to minimize
the impact to users in the event that a Timestamp Certificate's private key
is compromised. The validity for a Timestamp Certificate must not exceed 135
months. The Timestamp Certificate MUST meet the "Minimum Cryptographic
Algorithm and Key Size Requirements" in Appendix A for the communicated time
period.” As such, the CSBRs are stating that the Timestamp Certificate
private key has a lifetime of 15 months for signing. 

The change will reduce the validity period of the certificate from 135
months to 15 months. The reason is that the Windows application will check
the validity period of the Timestamp Certificate. The signature should be
trusted if it occurred at a time when the Code Signing certificate was valid
(i.e., not expired or revoked). The time will be asserted with the timestamp
token.

Bruce.

From: Atsushi Inaba <atsushi.inaba at globalsign.com> 
Sent: Tuesday, March 2, 2021 2:51 PM
To: Bruce Morton <Bruce.Morton at entrust.com>; cscwg-management at cabforum.org
Cc: Atsushi Inaba <atsushi.inaba at globalsign.com>
Subject: [EXTERNAL] [EXTERNAL] RE: F2F Minutes

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

  _____  

Hello Bruce,

Thank you for sharing the material.

Could I make sure the consideration about the validity

period of TSA certificate ?  How the private key and

certificate of TSA are used when the max validity of TSA

certificate is 15 months?  

Sorry, I missed the TSA validity related discussion at

last CSCWG meeting.  ( I was dozing off, maybe...)

Sorry to trouble you.

Atsushi Inaba

―――――――――――――――――――――――――――――

GMO GlobalSign K.K.

Business Planning

Atsushi Inaba

1-2-3, Dogenzaka, Shibuya Ku, Tokyo, Japan

150-0043

TEL: +81-3-6370-6671

FAX: +81-3-6370-6505

E-MAIL: atsushi.inaba at globalsign.com <mailto:atsushi.inaba at globalsign.com> 

URL:https://jp.globalsign.com/

―――――――――――――――――――――――――――――

THANK YOU 25 YEARS Internet for Everyone

―――――――――――――――――――――――――――――

■ GMO INTERNET GROUP ■ http://www.gmo.jp/

―――――――――――――――――――――――――――――

This e-mail message is intended to be conveyed only to the 

designated recipient(s). If you are NOT the intended 

recipient(s) of this e-mail, please kindly notify the sender 

immediately and delete the original message from your system.

From: Cscwg-management <cscwg-management-bounces at cabforum.org
<mailto:cscwg-management-bounces at cabforum.org> > On Behalf Of Bruce Morton
via Cscwg-management
Sent: Wednesday, March 3, 2021 3:57 AM
To: Bruce Morton <Bruce.Morton at entrust.com <mailto:Bruce.Morton at entrust.com>
>; cscwg-management at cabforum.org <mailto:cscwg-management at cabforum.org> 
Subject: Re: [Cscwg-management] F2F Minutes

Here are the slides,
https://wiki.cabforum.org/_media/cscwg/f2f_cswg_20210302_v2.pdf.

Bruce.

From: Cscwg-management <cscwg-management-bounces at cabforum.org
<mailto:cscwg-management-bounces at cabforum.org> > On Behalf Of Bruce Morton
via Cscwg-management
Sent: Tuesday, March 2, 2021 10:42 AM
To: cscwg-management at cabforum.org <mailto:cscwg-management at cabforum.org> 
Subject: [EXTERNAL] [Cscwg-management] F2F Minutes

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

  _____  

I will use a presentation for today’s meeting.

Can someone volunteer to take minutes? The slides will really help. 

Thanks, Bruce.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210302/fdb3ad3b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6360 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210302/fdb3ad3b/attachment-0001.p7s>