[Cscwg-public] Follow-up on Time-stamp Authority Items
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Jan 14 09:01:33 UTC 2022
On 13/1/2022 8:02 μ.μ., Ian McMillan via Cscwg-public wrote:
> Hi Folks,
> I followed up to make sure we have the behavior for Windows
> understood. WVT (WinVerifyTrust) will do revocation checking for the
> TSA cert and if timestamped with that TSA, and it will consider the
> signature as invalid even if the signing cert is still valid at the
> time of checking. Corey’s point about the broad usage leads to larger
> impact in the revocation scenario does play a large factor and why I
> would like to see the TSA entity certificate max validity come down to
> 15 months, and we remove the rekey requirement.
Thank you for the feedback about WVT, it's very useful. I believe most
CAs prefer to have the Time-stamping Issuing CA offline (treated as a
Root) because I assume we weren't sure if the timestamp validation
extends to the certificate of the Issuing CA. Can you also please
confirm that the validity of the Time-stamping *Issuing CA Certificate*
(at the subCA level) is checked by WVT?
If Windows checks for the validity of the issuing CA Certificate, some
CAs might consider bringing the TSA Issuing CA online.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Cscwg-public