[cabfpub] Questions regarding timestamping certificates

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Sep 8 13:03:13 UTC 2016


On 8/9/2016 3:07 μμ, Bruce Morton wrote:
>
> Hi Dimitris,
>
> I think the best document to use for Time-stamping Authority is the 
> Minimum Requirements for Code Signing certificates, see 
> https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf.
>
> Thanks, Bruce.
>

Thank you Bruce, you helped me find answers related to my second 
question. I am not 100% sure if it answers my first question. The 
minimum requirements for code signing document, describes a scenario 
where there are explicit Subordinate CA Certificates for TimeStamping 
but there is no requirement that forbids end-entity certificates to be 
issued directly from the Root (at least not one I could spot straight 
away).

I guess my 1st question is more focused on what is allowed under the 
currently approved CA/B Forum Baseline Requirements.


Best regards,
Dimitris.


> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Dimitris Zacharopoulos
> *Sent:* Thursday, September 8, 2016 4:34 AM
> *To:* public at cabforum.org
> *Subject:* [cabfpub] Questions regarding timestamping certificates
>
> Hello everyone,
>
> We are setting up a new Timestamping Authority and we are looking for 
> specific rules that apply to certificates and subCA Certificates 
> related to timestamping. While reading various standards and the CA/B 
> Forum documents, and after looking at various existing implementations 
> of publicly-trusted CAs, I have some questions and would appreciate 
> any feedback from the forum. Although the BRs apply to SSL 
> certificates, some Root Certificates might be used for both SSL and 
> timestamping services. So the questions that follow, apply to CAs that 
> use the same Root Certificate for both SSL and timestamping purposes. 
> Of course, the EV CodeSigning requirements also define some rules for 
> "EV Timestamp Authorities".
>
>  1. Section 6.1.7 of the Baseline Requirements states that the Root CA
>     Private Keys MUST NOT be used to sign end-entity certificates with
>     some exceptions. This exception list does not specifically mention
>     end-entity certificates with EKU id-kp-timeStamping. Are Root CAs
>     allowed to directly issue end-entity certificates for timestamping
>     authorities (end-entity certificates with EKU only
>     id-kp-timeStamping)?
>  2. Section 4.9.7 describes the CRL issuance frequency for Subscriber
>     and Subordinate CA Certificates. If there is a Subordinate CA
>     Certificate constrained with EKU id-kp-timeStamping, is an
>     end-entity certificate (with only id-kp-timeStamping) issued from
>     that subCA considered a "Subscriber" Certificate? Should this
>     subCA issue CRLs every 7 days or every 12 months? My understanding
>     (according to section 1.1 of the BRs) is that the end-entity
>     certificates from that subCA are not required to comply with the
>     CA/B Forum BRs. This should allow the CA to choose the CRL
>     issuance (from that restricted subCA), to exceed the 7-day
>     requirement.
>
>
> Thank you in advance.
>
>
> Dimitris Zacharopoulos.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160908/f3f4d28b/attachment-0003.html>


More information about the Public mailing list