[Cscwg-public] Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Mar 11 07:51:57 UTC 2021
In addition to my previous post, we should also consider the necessity
of the following requirement which is applicable to Time-stamping
"The CA SHALL update and reissue CRLs at least (i) once every twelve
months ", and similarly for OCSP responses.
If the entire lifetime of a Timestamping certificate is to be changed to
15 months, this requirement doesn't make much sense to me.
If we want to make CRLs mandatory, we must also update Appendix B (3) B.
Since OCSP is optional, we should also update Appendix B (2) C and (4) C
to match the updated language of (3) C.
On 10/3/2021 12:48 μ.μ., Dimitris Zacharopoulos (HARICA) wrote:
> Dear Ian,
> As I mentioned at our last meeting, we should take into account the
> fact that other Code Signing Certificate Consumers may use the
> timestamps in a different way and would invalidate code if the
> timestamp certificate expires.
> We should probably do some research and find out how Code Signing
> Certificate Consumers, like Oracle (for Java application), handle this
> issue so we do not create any unintentional problems to the code
> signing ecosystem.
> If any member has investigated the issue, it would be great to get
> some additional feedback.
> Best regards,
> On 9/3/2021 7:41 μ.μ., Ian McMillan via Cscwg-public wrote:
>> *Ballot CSC-8: Update to OCSP responses & Timestamping certificate
>> max validity*
>> Hello CSCWG members,
>> In light of the issues we’ve discussed on the current requirements
>> for OCSP responses for both code signing and timestamping
>> certificates and the max validity of Timestamping certificates, I’ve
>> made a full pass at the CSBRs now to update them for two things:
>> 1. Timestamping certificates max validity moved from 135 to 15
>> months (9.4)
>> 2. Made OCSP optional with CRLs being required (13.2.1, 13.2.2,
>> Appendix B: 3C, 5C)
>> In Appendix B, I also noted that the requirements for the
>> Timestamping (5C) and Code Signing (3C) certificates had AIA value
>> requirements to include the root certificate URL, but that should be
>> the issuing CA URL. Looked to be likely an old copy-paste issue from
>> long ago, so I’ve updated those as well.
>> I shared these edits with Bruce Morton and Tim Hollebeek, and I
>> appreciated their feedback and guidance.
>> *ASK:* Please review the attached redline version of the CSBRs with
>> these changes and provide feedback. If you are willing to sponsor
>> this in a new ballot (CSC-8), please let me know.
>> Thank you,
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Cscwg-public