[cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping
Adriano Santoni
adriano.santoni at staff.aruba.it
Thu Apr 29 09:41:33 UTC 2021
Well, considering that Adobe is not currently a CABF member, I see no
context wherein time stamping plays a role, other than code signing.
Adobe already trusts qualified time stamping providers (according to EU
regulations) based on the EU trust lists, in the context of Document
Signing, and I am not aware that they may want to also trust time stamps
based on different criteria.
In theory, time stamping could be used to extend the validity of an
S/MIME signature beyond the signing certificate's expiration, but there
is no S/MIME client supporting this, and no plans to support it in the
future, so this is just theory. After all, S/MIME signatures are not
meant for the long-term.
Is there any other context that I am overlooking?
Adriano
Il 29/04/2021 11:07, Rob Stradling via Public ha scritto:
> Could it be argued, at least conceptually, that there should be a
> separate CABForum working group dedicated entirely to Time Stamping?
> After all, the Code Signing ecosystem doesn't have a monopoly on Time
> Stamping. For example, Adobe software uses Time Stamping in the
> context of Document Signing. If Adobe wanted to collaborate with
> CABForum members on Time Stamping certificate profiles, what (assuming
> Adobe had no interest in Code Signing) would be the best venue for that?
>
> (Please note: I'm not advocating any position here; I'm just thinking
> aloud).
>
> ------------------------------------------------------------------------
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> on behalf of
> Bruce Morton via Cscwg-public <cscwg-public at cabforum.org>
> *Sent:* 26 April 2021 14:18
> *To:* Ben Wilson <bwilson at mozilla.com>; cscwg-public at cabforum.org
> <cscwg-public at cabforum.org>; Dean Coclin <dean.coclin at digicert.com>;
> CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Subject:* Re: [Cscwg-public] [EXTERNAL] Re: [cabfpub] Code signing
> and Time stamping
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
> To follow up, the CSCWG charter includes the following documents:
>
> a. EV Code Signing Guidelines, v. 1.4 and subsequent versions
>
> b. Version 1.0 Draft of November 19, 2015, Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Code Signing
> Certificates (subject to the CSCWG making a written finding that the
> provenance of such document is sufficiently covered by the Forum’s IPR
> Policy)
>
> The documents define requirements or reference: timestamp authority
> (TSA), timestamps, timestamp implementation method, timestamp
> certificate, timestamp signed objects, TSA logging, and timestamp key
> protection. The documents also define the certificate profiles for
> timestamp root, timestamp subordinate CA and timestamp authority. As
> such, the CSCWG has considered it is in scope to manage these
> documents and the requirements associated to allow timestamp
> signatures with code signed using certificates conforming to the CSBRs.
>
> The CSBRs also state, “CAs complying with these Requirements MAY also
> assert the reserved policy OIDs in such Certificates.” The reserved
> policy OIDs reference those required for Non-EV and EV code signing
> certificates. The CSBRs do not reference an OID for a timestamp
> certificate, since the OID has not been reserved. It is also
> considered appropriate to use all applicable reserved certificate
> policy OIDs as we consider deploying dedicated PKI hierarchies to
> support code signing.
>
> As such, the CSCWG plans to add the following reserved certificate
> policy OID to the CSBRs, which may be included in a timestamp
> certificate, which meets the requirements of the CSBRs:
>
> {joint-iso-itu-t(2) international-organizations(23)
> ca-browser-forum(140) certificate-policies(1)
> code-signing-requirements(4) timestamping(2)} (2.23.140.1.4.2)
>
> Bruce.
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of
> * Ben Wilson via Cscwg-public
> *Sent:* Tuesday, April 20, 2021 12:09 PM
> *To:* Dean Coclin <dean.coclin at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Cc:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] Re: [Cscwg-public] [cabfpub] Code signing and
> Time stamping
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know
> the content is safe.
>
> ------------------------------------------------------------------------
>
> Just a few thoughts to move this conversation forward, and speaking as
> a CSCWG interested party and not to advocate any position of Mozilla,
> I think the answer depends on how strict or flexible the CABF wants to
> be as an organization when it comes to interpreting the scope of a
> working group charter.
>
> It seems that the mention of time stamping in a code signing work
> product would be allowed even under a strict interpretation. While
> creating standards for issuing and managing time stamping certificates
> would certainly be out of scope with a flexible interpretation.
>
> The Scope in the Charter does not expressly include or exclude the
> assignment of a time stamping OID for time stamping certificates.
>
> https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fcabforum.org%2F2019%2F03%2F26%2Fcode-signing-certificate-wg-charter%2F*1-Scope__%3BIw!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-Y764wXA%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087360682%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=On%2FYLtGShUwaWS%2FOYXT0aqM7HYc7PBpRLxglLEMhWN0%3D&reserved=0>
>
> Included in the scope is "Version 1.0 Draft of November 19, 2015,
> Baseline Requirements for the Issuance and Management of
> Publicly-Trusted Code Signing Certificates (subject to the CSCWG
> making a written finding that the provenance of such document is
> sufficiently covered by the Forum’s IPR Policy)." Time stamping was
> discussed in that draft, and I recall that the CSCWG did make the
> required written finding of provenance. Is the assignment of a
> timestamping OID a logical outcome of the continued work on that
> earlier document?
>
> Ben
>
> On Mon, Apr 19, 2021 at 2:31 PM Dean Coclin via Public
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
> A discussion on last week’s CA/B call about code signing and time
> stamping brought up a question as to whether the latter was in
> scope of the CSCWG charter
> (https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fcabforum.org%2F2019%2F03%2F26%2Fcode-signing-certificate-wg-charter%2F__%3B!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-wNVdJJQ%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087370641%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hife2VbpDtPAJlkwyMrVvFS%2Btf3CL78iZCa7Ah6iACk%3D&reserved=0>).
>
>
> Bruce said there was no CP OID for time stamping and that the
> group wanted to create one IAW with the CA/B Forum registry. Ryan
> was concerned that this was outside the CSCWG charter as it was
> not specifically mentioned therein. Dimitris commented that it was
> included in charter scope 1a which pulls in the EV CS guidelines
> where time stamping is specified. Ryan did not seem convinced and
> asked that the discussion continue on the list.
>
> The working group has not had a chance to discuss this since the
> Forum meeting but plans to do so on the next call.
>
> I’ve included the CS Public list on this thread since the topic is
> of interest to members/observers there. If a respondent does not
> have posting rights, I can re-post for them.
>
> Dean
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://lists.cabforum.org/mailman/listinfo/public
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fpublic__%3B!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-PBR_9ZU%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087370641%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XkyrmSZpATznL0Ry%2Bs8TxfVdsrosYWJPcmJaZnLRydo%3D&reserved=0>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20210429/a623dd50/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/public/attachments/20210429/a623dd50/attachment-0001.p7s>
More information about the Public
mailing list