[Cscwg-public] Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix B

Tim Hollebeek tim.hollebeek at digicert.com
Fri Mar 19 17:00:47 UTC 2021 

We’ll have more comments later, but there’s a simple one I would like to
point out to start the discussion.  The requirement to have CRLs is stated
as “CAs MUST issue CRLs, …”.  This is trivially true for DigiCert.  We
issue LOTS of CRLs!



I believe the intent is that CAs MUST issue one or more CRLs that
collectively cover all the relevant types of certificates that are in scope
for the CSBRs.  The requirement needs  to have that level of specificity and
detail, so there’s clarity about exactly what is required.



-Tim



From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Ian
McMillan via Cscwg-public
Sent: Thursday, March 18, 2021 5:44 PM
To: Bruce.Morton at entrust.com; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] Ballot CSC-8 v3: Update to Revocation response
mechanisms. key protection for EV certificates, and clean-up of 11.2.1 &
Appendix B



Absolutely, I’ve made this change in the attached redline now.



Thanks,

Ian



From: Bruce Morton Bruce.Morton at entrust.com
<mailto:Bruce.Morton at entrust.com>
Sent: Thursday, March 18, 2021 2:34 PM
To: Ian McMillan <ianmcm at microsoft.com <mailto:ianmcm at microsoft.com> >;
cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] RE: Ballot CSC-8 v3: Update to Revocation response
mechanisms. key protection for EV certificates, and clean-up of 11.2.1 &
Appendix B



Hi Ian,



Can we remove both of these sentences, “A Timestamp Authority is NOT
REQUIRED to validate in any way data submitted to it for timestamping. It
simply adds the time to the data that are presented to it, signs the result
and appends its own Timestamp Certificate.”



The reason is CSBR 11.2.1 is called “Verification Requirements -
Overview”, so Timestamp Authority requirements should not be in this
section. Also CSBR 16.1 (1) addresses the Timestamp Authority requirement.
If we need some of this text, it should be move to the correct section.



Thanks, Bruce.



From: Cscwg-public <cscwg-public-bounces at cabforum.org
<mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Ian McMillan via
Cscwg-public
Sent: Thursday, March 18, 2021 5:17 PM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] Ballot CSC-8 v3: Update to Revocation
response mechanisms. key protection for EV certificates, and clean-up of 11.
2.1 & Appendix B



WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

  _____

Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection
for EV certificates, and clean-up of 11.2.1 & Appendix B



Purpose of this ballot:



Address the changes needed in the Baseline Requirement for the Issuance and
Management of Publicly-Trusted Code Signing Certificates v2.2 for:



1.	Making OCSP optional with CRLs being required (13.2.1, 13.2.2,
Appendix B: 3C, 5C)
2.	Added Common Criteria EAL 4+ to the supported key protection crypto
modules for EV certificates in light of support for RSA 3072 keys (16.3.2)
3.	Clean up of Appendix B[3C] & [5C] (AIA value requirements) and
section 11.2.1 contradiction with RFC3161



In Appendix B, it was noted that the requirements for the Timestamping (5C)
and Code Signing (3C) certificates had AIA value requirements to include the
root certificate URL, but that should be the issuing CA URL. This has been
included in this ballot.



Corey Bonnell noted a contradiction in the section 11.2.1 regarding
Timestamp in the clause “and appends it own Timestamp Certificate” is an
unconditional requirement for a timestamp response to include the TSA
certificate chain, but this conflicts with RFC3161 making this clause a
conditional requirement based on the certReq field (missing or set to
false). This clean up has the clause removed from section 11.2.1.



The following motion has been proposed by Ian McMillan of Microsoft, and
endorsed by Dimitris Zacharopoulos of HARICA and Bruce Morton of EnTrust.





--- MOTION BEGINS ---



This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly‐Trusted Code Signing Certificates" version 2.2
according to the attached redline.



--- MOTION ENDS ---



The procedure for approval of this ballot is as follows:

Discussion (7 days)
Start Time: 2021-03-18, 17:30 Eastern Time (US)
End Time: not before 2021-03-25, 17:30 Eastern Time (US)

Vote for approval (7 days)

Start Time: 2021-03-25, 17:30 Eastern Time (US)

End Time: 2021-04-01, 17:30 Eastern Time (US)



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210319/8d4e061f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210319/8d4e061f/attachment-0001.p7s>

More information about the Cscwg-public mailing list