[cabfpub] Code signing and Time stamping
Ben Wilson
bwilson at mozilla.com
Tue Apr 20 16:08:45 UTC 2021
Just a few thoughts to move this conversation forward, and speaking as a
CSCWG interested party and not to advocate any position of Mozilla, I think
the answer depends on how strict or flexible the CABF wants to be as an
organization when it comes to interpreting the scope of a working group
charter.
It seems that the mention of time stamping in a code signing work product
would be allowed even under a strict interpretation. While creating
standards for issuing and managing time stamping certificates would
certainly be out of scope with a flexible interpretation.
The Scope in the Charter does not expressly include or exclude the
assignment of a time stamping OID for time stamping certificates.
https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope
Included in the scope is "Version 1.0 Draft of November 19, 2015, Baseline
Requirements for the Issuance and Management of Publicly-Trusted Code
Signing Certificates (subject to the CSCWG making a written finding that
the provenance of such document is sufficiently covered by the Forum’s IPR
Policy)." Time stamping was discussed in that draft, and I recall that the
CSCWG did make the required written finding of provenance. Is the
assignment of a timestamping OID a logical outcome of the continued work on
that earlier document?
Ben
On Mon, Apr 19, 2021 at 2:31 PM Dean Coclin via Public <public at cabforum.org>
wrote:
> A discussion on last week’s CA/B call about code signing and time stamping
> brought up a question as to whether the latter was in scope of the CSCWG
> charter (
> https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/).
>
>
>
> Bruce said there was no CP OID for time stamping and that the group wanted
> to create one IAW with the CA/B Forum registry. Ryan was concerned that
> this was outside the CSCWG charter as it was not specifically mentioned
> therein. Dimitris commented that it was included in charter scope 1a which
> pulls in the EV CS guidelines where time stamping is specified. Ryan did
> not seem convinced and asked that the discussion continue on the list.
>
>
>
> The working group has not had a chance to discuss this since the Forum
> meeting but plans to do so on the next call.
>
>
>
> I’ve included the CS Public list on this thread since the topic is of
> interest to members/observers there. If a respondent does not have posting
> rights, I can re-post for them.
>
>
>
> Dean
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20210420/12e783fe/attachment.html>
More information about the Public
mailing list