[cabfpub] Questions regarding timestamping certificates

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Sep 8 07:39:27 MST 2016 


On 8/9/2016 4:59 μμ, Bruce Morton wrote:
>
> Hi Dimitris,
>
> I don’t think that the spirit of BR 6.1.7 would be for a root CA to 
> issue a certificate for a TSA. Also, the members of the Code Signing 
> Working Group have recommended that there be a separate CA for issuing 
> time-stamping certificates which is defined in Appendix B (4) of the 
> Minimum Requirements for Code Signing certificates.
>

That was my initial reading too and thank you for confirming. If others 
think that's not the case, please let us know.

> You may want to get feedback directly from the vendor of the client 
> software which will validate the time-stamp signatures.
>

I don't think that will  be necessary because if the standards require a 
2 level certificate chain verification, the client software must support 
it :)


Best regards,
Dimitris.

> Bruce.
>
> *From:*Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Thursday, September 8, 2016 9:03 AM
> *To:* Bruce Morton <Bruce.Morton at entrust.com>; public at cabforum.org
> *Subject:* Re: [cabfpub] Questions regarding timestamping certificates
>
> On 8/9/2016 3:07 μμ, Bruce Morton wrote:
>
>     Hi Dimitris,
>
>     I think the best document to use for Time-stamping Authority is
>     the Minimum Requirements for Code Signing certificates, see
>     https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf.
>
>     Thanks, Bruce.
>
>
> Thank you Bruce, you helped me find answers related to my second 
> question. I am not 100% sure if it answers my first question. The 
> minimum requirements for code signing document, describes a scenario 
> where there are explicit Subordinate CA Certificates for TimeStamping 
> but there is no requirement that forbids end-entity certificates to be 
> issued directly from the Root (at least not one I could spot straight 
> away).
>
> I guess my 1st question is more focused on what is allowed under the 
> currently approved CA/B Forum Baseline Requirements.
>
>
> Best regards,
> Dimitris.
>
>
>
>     *From:*public-bounces at cabforum.org
>     <mailto:public-bounces at cabforum.org>
>     [mailto:public-bounces at cabforum.org] *On Behalf Of *Dimitris
>     Zacharopoulos
>     *Sent:* Thursday, September 8, 2016 4:34 AM
>     *To:* public at cabforum.org <mailto:public at cabforum.org>
>     *Subject:* [cabfpub] Questions regarding timestamping certificates
>
>     Hello everyone,
>
>     We are setting up a new Timestamping Authority and we are looking
>     for specific rules that apply to certificates and subCA
>     Certificates related to timestamping. While reading various
>     standards and the CA/B Forum documents, and after looking at
>     various existing implementations of publicly-trusted CAs, I have
>     some questions and would appreciate any feedback from the forum.
>     Although the BRs apply to SSL certificates, some Root Certificates
>     might be used for both SSL and timestamping services. So the
>     questions that follow, apply to CAs that use the same Root
>     Certificate for both SSL and timestamping purposes. Of course, the
>     EV CodeSigning requirements also define some rules for "EV
>     Timestamp Authorities".
>
>      1. Section 6.1.7 of the Baseline Requirements states that the
>         Root CA Private Keys MUST NOT be used to sign end-entity
>         certificates with some exceptions. This exception list does
>         not specifically mention end-entity certificates with EKU
>         id-kp-timeStamping. Are Root CAs allowed to directly issue
>         end-entity certificates for timestamping authorities
>         (end-entity certificates with EKU only id-kp-timeStamping)?
>      2. Section 4.9.7 describes the CRL issuance frequency for
>         Subscriber and Subordinate CA Certificates. If there is a
>         Subordinate CA Certificate constrained with EKU
>         id-kp-timeStamping, is an end-entity certificate (with only
>         id-kp-timeStamping) issued from that subCA considered a
>         "Subscriber" Certificate? Should this subCA issue CRLs every 7
>         days or every 12 months? My understanding (according to
>         section 1.1 of the BRs) is that the end-entity certificates
>         from that subCA are not required to comply with the CA/B Forum
>         BRs. This should allow the CA to choose the CRL issuance (from
>         that restricted subCA), to exceed the 7-day requirement.
>
>
>     Thank you in advance.
>
>
>     Dimitris Zacharopoulos.
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160908/6c732386/attachment.html

More information about the Public mailing list