[cabfpub] Questions regarding timestamping certificates

Bruce Morton Bruce.Morton at entrust.com
Thu Sep 8 12:07:01 UTC 2016


Hi Dimitris,

I think the best document to use for Time-stamping Authority is the Minimum Requirements for Code Signing certificates, see https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf.

Thanks, Bruce.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dimitris Zacharopoulos
Sent: Thursday, September 8, 2016 4:34 AM
To: public at cabforum.org
Subject: [cabfpub] Questions regarding timestamping certificates

Hello everyone,

We are setting up a new Timestamping Authority and we are looking for specific rules that apply to certificates and subCA Certificates related to timestamping. While reading various standards and the CA/B Forum documents, and after looking at various existing implementations of publicly-trusted CAs, I have some questions and would appreciate any feedback from the forum. Although the BRs apply to SSL certificates, some Root Certificates might be used for both SSL and timestamping services. So the questions that follow, apply to CAs that use the same Root Certificate for both SSL and timestamping purposes. Of course, the EV CodeSigning requirements also define some rules for "EV Timestamp Authorities".

  1.  Section 6.1.7 of the Baseline Requirements states that the Root CA Private Keys MUST NOT be used to sign end-entity certificates with some exceptions. This exception list does not specifically mention end-entity certificates with EKU id-kp-timeStamping. Are Root CAs allowed to directly issue end-entity certificates for timestamping authorities (end-entity certificates with EKU only id-kp-timeStamping)?
  2.  Section 4.9.7 describes the CRL issuance frequency for Subscriber and Subordinate CA Certificates. If there is a Subordinate CA Certificate constrained with EKU id-kp-timeStamping, is an end-entity certificate (with only id-kp-timeStamping) issued from that subCA considered a "Subscriber" Certificate? Should this subCA issue CRLs every 7 days or every 12 months? My understanding (according to section 1.1 of the BRs) is that the end-entity certificates from that subCA are not required to comply with the CA/B Forum BRs. This should allow the CA to choose the CRL issuance (from that restricted subCA), to exceed the 7-day requirement.

Thank you in advance.


Dimitris Zacharopoulos.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160908/55e05387/attachment-0003.html>


More information about the Public mailing list