[Cscwg-public] [EXTERNAL] Re: Follow-up on Time-stamp Authority Items

Ian McMillan ianmcm at microsoft.com
Fri Jan 14 23:44:50 UTC 2022

Hi Dimitris,

Yes, I can confirm in the process of validating the end-entity TSA certificate, WVT does validate the validity of the issuing CA and any sub CAs in the chain all the way to the root CA.


From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Friday, January 14, 2022 4:02 AM
To: cscwg-public at cabforum.org
Subject: [EXTERNAL] Re: [Cscwg-public] Follow-up on Time-stamp Authority Items

On 13/1/2022 8:02 μ.μ., Ian McMillan via Cscwg-public wrote:
Hi Folks,

I followed up to make sure we have the behavior for Windows understood. WVT (WinVerifyTrust) will do revocation checking for the TSA cert and if timestamped with that TSA, and it will consider the signature as invalid even if the signing cert is still valid at the time of checking. Corey’s point about the broad usage leads to larger impact in the revocation scenario does play a large factor and why I would like to see the TSA entity certificate max validity come down to 15 months, and we remove the rekey requirement.

Hello Ian,

Thank you for the feedback about WVT, it's very useful. I believe most CAs prefer to have the Time-stamping Issuing CA offline (treated as a Root) because I assume we weren't sure if the timestamp validation extends to the certificate of the Issuing CA. Can you also please confirm that the validity of the Time-stamping Issuing CA Certificate (at the subCA level) is checked by WVT?

If Windows checks for the validity of the issuing CA Certificate, some CAs might consider bringing the TSA Issuing CA online.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220114/c5eaa8fd/attachment.html>

More information about the Cscwg-public mailing list