[Cscwg-public] Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity

Ian McMillan ianmcm at microsoft.com
Tue Mar 9 17:40:58 UTC 2021

Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity

Hello CSCWG members,

In light of the issues we've discussed on the current requirements for OCSP responses for both code signing and timestamping certificates and the max validity of Timestamping certificates, I've made a full pass at the CSBRs now to update them for two things:

  1.  Timestamping  certificates max validity moved from 135 to 15 months (9.4)
  2.  Made OCSP optional with CRLs being required (13.2.1, 13.2.2, Appendix B: 3C, 5C)

In Appendix B, I also noted that the requirements for the Timestamping (5C) and Code Signing (3C) certificates had AIA value requirements to include the root certificate URL, but that should be the issuing CA URL. Looked to be likely an old copy-paste issue from long ago, so I've updated those as well.

I shared these edits with Bruce Morton and Tim Hollebeek, and I appreciated their feedback and guidance.

ASK: Please review the attached redline version of the CSBRs with these changes and provide feedback. If you are willing to sponsor this in a new ballot (CSC-8), please let me know.

Thank you,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210309/7ea665bf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: baseline_requirements_for_the_issuance_and_management_of_code_signing.v2.2-Ballot_CSC-8.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 135198 bytes
Desc: baseline_requirements_for_the_issuance_and_management_of_code_signing.v2.2-Ballot_CSC-8.docx
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210309/7ea665bf/attachment-0001.docx>

More information about the Cscwg-public mailing list