[Cscwg-public] Follow-up on Time-stamp Authority Items

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Jan 14 09:01:33 UTC 2022



On 13/1/2022 8:02 μ.μ., Ian McMillan via Cscwg-public wrote:
>
> Hi Folks,
>
> I followed up to make sure we have the behavior for Windows 
> understood. WVT (WinVerifyTrust) will do revocation checking for the 
> TSA cert and if timestamped with that TSA, and it will consider the 
> signature as invalid even if the signing cert is still valid at the 
> time of checking. Corey’s point about the broad usage leads to larger 
> impact in the revocation scenario does play a large factor and why I 
> would like to see the TSA entity certificate max validity come down to 
> 15 months, and we remove the rekey requirement.
>

Hello Ian,

Thank you for the feedback about WVT, it's very useful. I believe most 
CAs prefer to have the Time-stamping Issuing CA offline (treated as a 
Root) because I assume we weren't sure if the timestamp validation 
extends to the certificate of the Issuing CA. Can you also please 
confirm that the validity of the Time-stamping *Issuing CA Certificate* 
(at the subCA level) is checked by WVT?

If Windows checks for the validity of the issuing CA Certificate, some 
CAs might consider bringing the TSA Issuing CA online.

Thanks,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220114/99cb6734/attachment.html>


More information about the Cscwg-public mailing list