[Cscwg-public] DSA SubCAs: are they allowed?

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Sep 15 15:36:48 UTC 2021

I agree with Bruce. In principle we should avoid changing existing 
requirements in cleanup-clarifications-restructuring ballots.

We also have no idea if removing the DSA algorithms would impact the 
Oracle Java Root Program (I assume it would not).

Best regards,

On 15/9/2021 5:40 μ.μ., Bruce Morton via Cscwg-public wrote:
> Hi Corey,
> Although I assume there would be no impact, removing DSA seems to be 
> out of scope for the format change.
> This seems like a minor change that we could cover in another ballot. 
> We might even agree to add this to one of the ballots, which Ian is 
> proposing.
> Perhaps we can discuss at next weeks call.
> Thanks, Bruce.
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Corey Bonnell via Cscwg-public
> *Sent:* Wednesday, September 15, 2021 9:52 AM
> *To:* Corey Bonnell <Corey.Bonnell at digicert.com>; 
> cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] Re: [Cscwg-public] DSA SubCAs: are they allowed?
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know 
> the content is safe.
> ------------------------------------------------------------------------
> My bad, forgot to add this to the bottom of the message:
> [1] 
> https://docs.microsoft.com/en-us/security/trusted-root/program-requirements 
> <https://docs.microsoft.com/en-us/security/trusted-root/program-requirements>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org 
> <mailto:cscwg-public-bounces at cabforum.org>> *On Behalf Of *Corey 
> Bonnell via Cscwg-public
> *Sent:* Wednesday, September 15, 2021 9:50 AM
> *To:* cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org>
> *Subject:* [Cscwg-public] DSA SubCAs: are they allowed?
> Hello,
> In removing the algorithm encoding requirements from the RFC 3647 
> draft CSBRs 
> (https://github.com/cabforum/code-signing/pull/6/commits/3e642a8cf2b5b1c7479e7e5031a6301c2fd6b828 
> <https://github.com/cabforum/code-signing/pull/6/commits/3e642a8cf2b5b1c7479e7e5031a6301c2fd6b828>), 
> I encountered a potential inconsistency/ambiguity in the current CSBRs 
> and Microsoft Root Program requirements. Appendix A of the current 
> CSBRs allows for Roots and SubCAs to use a DSA key pair, but section B 
> of the Microsoft Root Program [1] requirements for Roots and SubCAs 
> seemingly do not by omission of DSA entirely.
> Given this, is it safe to conclude that the Microsoft Root Program 
> currently prohibits DSA Roots and SubCAs? If so, can we disallow DSA 
> ICAs in the RFC 3647 CSBRs to mirror the Microsoft Root Program 
> requirements?
> Thanks,
> Corey
> /Any email and files/attachments transmitted with it are confidential 
> and are intended solely for the use of the individual or entity to 
> whom they are addressed. If this message has been sent to you in 
> error, you must not copy, distribute or disclose of the information it 
> contains. _Please notify Entrust immediately_ and delete the message 
> from your system./
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210915/5db48253/attachment-0001.html>

More information about the Cscwg-public mailing list