[cabfpub] Questions regarding timestamping certificates

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Sep 8 08:33:45 UTC 2016


Hello everyone,

We are setting up a new Timestamping Authority and we are looking for 
specific rules that apply to certificates and subCA Certificates related 
to timestamping. While reading various standards and the CA/B Forum 
documents, and after looking at various existing implementations of 
publicly-trusted CAs, I have some questions and would appreciate any 
feedback from the forum. Although the BRs apply to SSL certificates, 
some Root Certificates might be used for both SSL and timestamping 
services. So the questions that follow, apply to CAs that use the same 
Root Certificate for both SSL and timestamping purposes. Of course, the 
EV CodeSigning requirements also define some rules for "EV Timestamp 
Authorities".

 1. Section 6.1.7 of the Baseline Requirements states that the Root CA
    Private Keys MUST NOT be used to sign end-entity certificates with
    some exceptions. This exception list does not specifically mention
    end-entity certificates with EKU id-kp-timeStamping. Are Root CAs
    allowed to directly issue end-entity certificates for timestamping
    authorities (end-entity certificates with EKU only id-kp-timeStamping)?
 2. Section 4.9.7 describes the CRL issuance frequency for Subscriber
    and Subordinate CA Certificates. If there is a Subordinate CA
    Certificate constrained with EKU id-kp-timeStamping, is an
    end-entity certificate (with only id-kp-timeStamping) issued from
    that subCA considered a "Subscriber" Certificate? Should this subCA
    issue CRLs every 7 days or every 12 months? My understanding
    (according to section 1.1 of the BRs) is that the end-entity
    certificates from that subCA are not required to comply with the
    CA/B Forum BRs. This should allow the CA to choose the CRL issuance
    (from that restricted subCA), to exceed the 7-day requirement.


Thank you in advance.


Dimitris Zacharopoulos.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160908/38833f02/attachment-0002.html>


More information about the Public mailing list