[Cscwg-public] Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Mar 10 10:48:17 UTC 2021 

Dear Ian,

As I mentioned at our last meeting, we should take into account the fact 
that other Code Signing Certificate Consumers may use the timestamps in 
a different way and would invalidate code if the timestamp certificate 
expires.

We should probably do some research and find out how Code Signing 
Certificate Consumers, like Oracle (for Java application), handle this 
issue so we do not create any unintentional problems to the code signing 
ecosystem.

If any member has investigated the issue, it would be great to get some 
additional feedback.


Best regards,
Dimitris.


On 9/3/2021 7:41 μ.μ., Ian McMillan via Cscwg-public wrote:
>
> *Ballot CSC-8: Update to OCSP responses & Timestamping certificate max 
> validity*
>
> Hello CSCWG members,
>
> In light of the issues we’ve discussed on the current requirements for 
> OCSP responses for both code signing and timestamping certificates and 
> the max validity of Timestamping certificates, I’ve made a full pass 
> at the CSBRs now to update them for two things:
>
>  1. Timestamping certificates max validity moved from 135 to 15 months
>     (9.4)
>  2. Made OCSP optional with CRLs being required (13.2.1, 13.2.2,
>     Appendix B: 3C, 5C)
>
> In Appendix B, I also noted that the requirements for the Timestamping 
> (5C) and Code Signing (3C) certificates had AIA value requirements to 
> include the root certificate URL, but that should be the issuing CA 
> URL. Looked to be likely an old copy-paste issue from long ago, so 
> I’ve updated those as well.
>
> I shared these edits with Bruce Morton and Tim Hollebeek, and I 
> appreciated their feedback and guidance.
>
> *ASK:* Please review the attached redline version of the CSBRs with 
> these changes and provide feedback. If you are willing to sponsor this 
> in a new ballot (CSC-8), please let me know.
>
> Thank you,
>
> Ian
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210310/4b500e27/attachment-0001.html>

More information about the Cscwg-public mailing list