[cabfpub] Questions regarding timestamping certificates

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Sep 8 16:15:43 UTC 2016 

Yes, I was wondering if this is in fact allowed by the BRs. In a case 
where you have a Root that doesn't have the SSL trust-bits, I am sure 
you can do that. But what happens if your Root is included in the 
browsers with the SSL trust-bits set?

Dimitris.


On 8/9/2016 6:14 μμ, Inigo Barreira wrote:
>
> Well, it depends. There are some software vendors that “request” to 
> have the TSA signed by a known certificate, and as they only trust on 
> root certificate, usually to get your timestamps “recognized” you have 
> to sign the TSA with the CA root cert just in case.
>
> *De:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> *En nombre de *Dimitris Zacharopoulos
> *Enviado el:* jueves, 8 de septiembre de 2016 16:39
> *Para:* Bruce Morton
> *CC:* public at cabforum.org
> *Asunto:* Re: [cabfpub] Questions regarding timestamping certificates
>
> On 8/9/2016 4:59 μμ, Bruce Morton wrote:
>
>     Hi Dimitris,
>
>     I don’t think that the spirit of BR 6.1.7 would be for a root CA
>     to issue a certificate for a TSA. Also, the members of the Code
>     Signing Working Group have recommended that there be a separate CA
>     for issuing time-stamping certificates which is defined in
>     Appendix B (4) of the Minimum Requirements for Code Signing
>     certificates.
>
>
> That was my initial reading too and thank you for confirming. If 
> others think that's not the case, please let us know.
>
>
> You may want to get feedback directly from the vendor of the client 
> software which will validate the time-stamp signatures.
>
>
> I don't think that will  be necessary because if the standards require 
> a 2 level certificate chain verification, the client software must 
> support it :)
>
>
> Best regards,
> Dimitris.
>
>
> Bruce.
>
> *From:*Dimitris Zacharopoulos [mailto:jimmy at it.auth.gr]
> *Sent:* Thursday, September 8, 2016 9:03 AM
> *To:* Bruce Morton <Bruce.Morton at entrust.com> 
> <mailto:Bruce.Morton at entrust.com>; public at cabforum.org 
> <mailto:public at cabforum.org>
> *Subject:* Re: [cabfpub] Questions regarding timestamping certificates
>
> On 8/9/2016 3:07 μμ, Bruce Morton wrote:
>
>     Hi Dimitris,
>
>     I think the best document to use for Time-stamping Authority is
>     the Minimum Requirements for Code Signing certificates, see
>     https://casecurity.org/wp-content/uploads/2016/07/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf.
>
>     Thanks, Bruce.
>
>
> Thank you Bruce, you helped me find answers related to my second 
> question. I am not 100% sure if it answers my first question. The 
> minimum requirements for code signing document, describes a scenario 
> where there are explicit Subordinate CA Certificates for TimeStamping 
> but there is no requirement that forbids end-entity certificates to be 
> issued directly from the Root (at least not one I could spot straight 
> away).
>
> I guess my 1st question is more focused on what is allowed under the 
> currently approved CA/B Forum Baseline Requirements.
>
>
> Best regards,
> Dimitris.
>
>
>
>
>     *From:*public-bounces at cabforum.org
>     <mailto:public-bounces at cabforum.org>
>     [mailto:public-bounces at cabforum.org] *On Behalf Of *Dimitris
>     Zacharopoulos
>     *Sent:* Thursday, September 8, 2016 4:34 AM
>     *To:* public at cabforum.org <mailto:public at cabforum.org>
>     *Subject:* [cabfpub] Questions regarding timestamping certificates
>
>     Hello everyone,
>
>     We are setting up a new Timestamping Authority and we are looking
>     for specific rules that apply to certificates and subCA
>     Certificates related to timestamping. While reading various
>     standards and the CA/B Forum documents, and after looking at
>     various existing implementations of publicly-trusted CAs, I have
>     some questions and would appreciate any feedback from the forum.
>     Although the BRs apply to SSL certificates, some Root Certificates
>     might be used for both SSL and timestamping services. So the
>     questions that follow, apply to CAs that use the same Root
>     Certificate for both SSL and timestamping purposes. Of course, the
>     EV CodeSigning requirements also define some rules for "EV
>     Timestamp Authorities".
>
>      1. Section 6.1.7 of the Baseline Requirements states that the
>         Root CA Private Keys MUST NOT be used to sign end-entity
>         certificates with some exceptions. This exception list does
>         not specifically mention end-entity certificates with EKU
>         id-kp-timeStamping. Are Root CAs allowed to directly issue
>         end-entity certificates for timestamping authorities
>         (end-entity certificates with EKU only id-kp-timeStamping)?
>      2. Section 4.9.7 describes the CRL issuance frequency for
>         Subscriber and Subordinate CA Certificates. If there is a
>         Subordinate CA Certificate constrained with EKU
>         id-kp-timeStamping, is an end-entity certificate (with only
>         id-kp-timeStamping) issued from that subCA considered a
>         "Subscriber" Certificate? Should this subCA issue CRLs every 7
>         days or every 12 months? My understanding (according to
>         section 1.1 of the BRs) is that the end-entity certificates
>         from that subCA are not required to comply with the CA/B Forum
>         BRs. This should allow the CA to choose the CRL issuance (from
>         that restricted subCA), to exceed the 7-day requirement.
>
>
>     Thank you in advance.
>
>
>     Dimitris Zacharopoulos.
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160908/4e6619d9/attachment-0003.html>

More information about the Public mailing list