[Cscwg-public] Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Mar 11 07:51:57 UTC 2021

In addition to my previous post, we should also consider the necessity 
of the following requirement which is applicable to Time-stamping 

"The CA SHALL update and reissue CRLs at least (i) once every twelve 
months ", and similarly for OCSP responses.

If the entire lifetime of a Timestamping certificate is to be changed to 
15 months, this requirement doesn't make much sense to me.

If we want to make CRLs mandatory, we must also update Appendix B (3) B.

Since OCSP is optional, we should also update Appendix B (2) C and (4) C 
to match the updated language of (3) C.


On 10/3/2021 12:48 μ.μ., Dimitris Zacharopoulos (HARICA) wrote:
> Dear Ian,
> As I mentioned at our last meeting, we should take into account the 
> fact that other Code Signing Certificate Consumers may use the 
> timestamps in a different way and would invalidate code if the 
> timestamp certificate expires.
> We should probably do some research and find out how Code Signing 
> Certificate Consumers, like Oracle (for Java application), handle this 
> issue so we do not create any unintentional problems to the code 
> signing ecosystem.
> If any member has investigated the issue, it would be great to get 
> some additional feedback.
> Best regards,
> Dimitris.
> On 9/3/2021 7:41 μ.μ., Ian McMillan via Cscwg-public wrote:
>> *Ballot CSC-8: Update to OCSP responses & Timestamping certificate 
>> max validity*
>> Hello CSCWG members,
>> In light of the issues we’ve discussed on the current requirements 
>> for OCSP responses for both code signing and timestamping 
>> certificates and the max validity of Timestamping certificates, I’ve 
>> made a full pass at the CSBRs now to update them for two things:
>>  1. Timestamping certificates max validity moved from 135 to 15
>>     months (9.4)
>>  2. Made OCSP optional with CRLs being required (13.2.1, 13.2.2,
>>     Appendix B: 3C, 5C)
>> In Appendix B, I also noted that the requirements for the 
>> Timestamping (5C) and Code Signing (3C) certificates had AIA value 
>> requirements to include the root certificate URL, but that should be 
>> the issuing CA URL. Looked to be likely an old copy-paste issue from 
>> long ago, so I’ve updated those as well.
>> I shared these edits with Bruce Morton and Tim Hollebeek, and I 
>> appreciated their feedback and guidance.
>> *ASK:* Please review the attached redline version of the CSBRs with 
>> these changes and provide feedback. If you are willing to sponsor 
>> this in a new ballot (CSC-8), please let me know.
>> Thank you,
>> Ian
>> _______________________________________________
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210311/f8f7b39d/attachment.html>

More information about the Cscwg-public mailing list