[Cscwg-public] DSA SubCAs: are they allowed?

Bruce Morton Bruce.Morton at entrust.com
Wed Sep 15 14:39:52 UTC 2021

Hi Corey,

Although I assume there would be no impact, removing DSA seems to be out of scope for the format change.

This seems like a minor change that we could cover in another ballot. We might even agree to add this to one of the ballots, which Ian is proposing.

Perhaps we can discuss at next weeks call.

Thanks, Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Corey Bonnell via Cscwg-public
Sent: Wednesday, September 15, 2021 9:52 AM
To: Corey Bonnell <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org
Subject: [EXTERNAL] Re: [Cscwg-public] DSA SubCAs: are they allowed?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
My bad, forgot to add this to the bottom of the message:

[1] https://docs.microsoft.com/en-us/security/trusted-root/program-requirements

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Corey Bonnell via Cscwg-public
Sent: Wednesday, September 15, 2021 9:50 AM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [Cscwg-public] DSA SubCAs: are they allowed?

In removing the algorithm encoding requirements from the RFC 3647 draft CSBRs (https://github.com/cabforum/code-signing/pull/6/commits/3e642a8cf2b5b1c7479e7e5031a6301c2fd6b828), I encountered a potential inconsistency/ambiguity in the current CSBRs and Microsoft Root Program requirements. Appendix A of the current CSBRs allows for Roots and SubCAs to use a DSA key pair, but section B of the Microsoft Root Program [1] requirements for Roots and SubCAs seemingly do not by omission of DSA entirely.

Given this, is it safe to conclude that the Microsoft Root Program currently prohibits DSA Roots and SubCAs? If so, can we disallow DSA ICAs in the RFC 3647 CSBRs to mirror the Microsoft Root Program requirements?

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210915/826818f0/attachment.html>

More information about the Cscwg-public mailing list