[Cscwg-public] Conflict with RFC 3161 and CSBR 11.2.1

Corey Bonnell Corey.Bonnell at digicert.com
Wed Mar 17 21:48:58 UTC 2021


There appears to be contradictory language in CSBR 11.2.1, as it states the

A Timestamp Authority is NOT REQUIRED to validate in any way data submitted
to it for timestamping.  It simply adds the time to the data that are
presented to it, signs the result and appends its own Timestamp Certificate.


The clause "and appends it own Timestamp Certificate" is an unconditional
requirement for a timestamp response to include the TSA certificate chain.
This conflicts with CSBR 16.1 (1), which mandates compliance with RFC 3161,
which in turn states in RFC 3161 section 2.4.1:

               If the certReq field is missing or if the certReq field is

               and set to false then the certificates field from the

               structure MUST not be present in the response.


The introduction of the contradictory language in 11.2.1 was introduced as
part of the OV CS/EV CS BR document merge last year, as I am unable to find
any instances of that text in previous versions of the documents.
Additionally, the intent of the document merge was not to introduce
normative changes, so I believe the intent is that CAs should respect the
certReq field value in the timestamp request and conditionally include the
certificate chain.


If there is agreement on this interpretation, I'd be happy to draft a
clarification ballot.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210317/22cbf56a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210317/22cbf56a/attachment-0001.p7s>

More information about the Cscwg-public mailing list