[Cscwg-public] [EXTERNAL] Re: Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity

Ian McMillan ianmcm at microsoft.com
Thu Mar 11 16:32:32 UTC 2021

Hi Dimitris,

I've reached out to some contacts I have in Oracle to see if we can get a definitive answer from the JSE folks, and I'll see if I can find time to test it out myself with some experiments on the behaviors of JSE with regards to the timestamping certificate's validity. I've also confirmed that the behavior of NuGet client follows that same pattern in that the timestamping certificate validity must not be expired at the time of the signing, and not a the time of verification.

We can remove the change for max validity of timestamping certificates in this ballot, and have it in a future ballot once we have answers from Oracle.


From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Sent: Wednesday, March 10, 2021 2:48 AM
To: Ian McMillan <ianmcm at microsoft.com>; cscwg-public at cabforum.org
Subject: [EXTERNAL] Re: [Cscwg-public] Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity

Dear Ian,

As I mentioned at our last meeting, we should take into account the fact that other Code Signing Certificate Consumers may use the timestamps in a different way and would invalidate code if the timestamp certificate expires.

We should probably do some research and find out how Code Signing Certificate Consumers, like Oracle (for Java application), handle this issue so we do not create any unintentional problems to the code signing ecosystem.

If any member has investigated the issue, it would be great to get some additional feedback.

Best regards,

On 9/3/2021 7:41 μ.μ., Ian McMillan via Cscwg-public wrote:
Ballot CSC-8: Update to OCSP responses & Timestamping certificate max validity

Hello CSCWG members,

In light of the issues we've discussed on the current requirements for OCSP responses for both code signing and timestamping certificates and the max validity of Timestamping certificates, I've made a full pass at the CSBRs now to update them for two things:

  1.  Timestamping  certificates max validity moved from 135 to 15 months (9.4)
  2.  Made OCSP optional with CRLs being required (13.2.1, 13.2.2, Appendix B: 3C, 5C)

In Appendix B, I also noted that the requirements for the Timestamping (5C) and Code Signing (3C) certificates had AIA value requirements to include the root certificate URL, but that should be the issuing CA URL. Looked to be likely an old copy-paste issue from long ago, so I've updated those as well.

I shared these edits with Bruce Morton and Tim Hollebeek, and I appreciated their feedback and guidance.

ASK: Please review the attached redline version of the CSBRs with these changes and provide feedback. If you are willing to sponsor this in a new ballot (CSC-8), please let me know.

Thank you,



Cscwg-public mailing list

Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210311/53b7e872/attachment.html>

More information about the Cscwg-public mailing list