[cabfpub] [Cscwg-public] [EXTERNAL] Re: Code signing and Time stamping

Thu Apr 29 09:41:33 UTC 2021

Well, considering that Adobe is not currently a CABF member, I see no 
context wherein time stamping plays a role, other than code signing.

Adobe already trusts qualified time stamping providers (according to EU 
regulations) based on the EU trust lists, in the context of Document 
Signing, and I am not aware that they may want to also trust time stamps 
based on different criteria.

In theory, time stamping could be used to extend the validity of an 
S/MIME signature beyond the signing certificate's expiration, but there 
is no S/MIME client supporting this, and no plans to support it in the 
future, so this is just theory. After all, S/MIME signatures are not 
meant for the long-term.

Is there any other context that I am overlooking?

Adriano

Il 29/04/2021 11:07, Rob Stradling via Public ha scritto:
> Could it be argued, at least conceptually, that there should be a 
> separate CABForum working group dedicated entirely to Time Stamping?  

> After all, the Code Signing ecosystem doesn't have a monopoly on Time 
> Stamping.  For example, Adobe software uses Time Stamping in the 
> context of Document Signing.  If Adobe wanted to collaborate with 
> CABForum members on Time Stamping certificate profiles, what (assuming 
> Adobe had no interest in Code Signing) would be the best venue for that?
>
> (Please note: I'm not advocating any position here; I'm just thinking 
> aloud).
>
> ------------------------------------------------------------------------
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> on behalf of 
> Bruce Morton via Cscwg-public <cscwg-public at cabforum.org>
> *Sent:* 26 April 2021 14:18
> *To:* Ben Wilson <bwilson at mozilla.com>; cscwg-public at cabforum.org 
> <cscwg-public at cabforum.org>; Dean Coclin <dean.coclin at digicert.com>; 
> CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Subject:* Re: [Cscwg-public] [EXTERNAL] Re: [cabfpub] Code signing 
> and Time stamping
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
> To follow up, the CSCWG charter includes the following documents:
>
> a. EV Code Signing Guidelines, v. 1.4 and subsequent versions
>
> b. Version 1.0 Draft of November 19, 2015, Baseline Requirements for 
> the Issuance and Management of Publicly-Trusted Code Signing 
> Certificates (subject to the CSCWG making a written finding that the 
> provenance of such document is sufficiently covered by the Forum’s IPR 
> Policy)
>
> The documents define requirements or reference: timestamp authority 
> (TSA), timestamps, timestamp implementation method, timestamp 
> certificate, timestamp signed objects, TSA logging, and timestamp key 
> protection. The documents also define the certificate profiles for 
> timestamp root, timestamp subordinate CA and timestamp authority. As 
> such, the CSCWG has considered it is in scope to manage these 
> documents and the requirements associated to allow timestamp 
> signatures with code signed using certificates conforming to the CSBRs.
>
> The CSBRs also state, “CAs complying with these Requirements MAY also 

> assert the reserved policy OIDs in such Certificates.” The reserved 
> policy OIDs reference those required for Non-EV and EV code signing 
> certificates. The CSBRs do not reference an OID for a timestamp 
> certificate, since the OID has not been reserved. It is also 
> considered appropriate to use all applicable reserved certificate 
> policy OIDs as we consider deploying dedicated PKI hierarchies to 
> support code signing.
>
> As such, the CSCWG plans to add the following reserved certificate 
> policy OID to the CSBRs, which may be included in a timestamp 
> certificate, which meets the requirements of the CSBRs:
>
> {joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) 
> code-signing-requirements(4) timestamping(2)} (2.23.140.1.4.2)
>
> Bruce.
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> * Ben Wilson via Cscwg-public
> *Sent:* Tuesday, April 20, 2021 12:09 PM
> *To:* Dean Coclin <dean.coclin at digicert.com>; CA/Browser Forum Public 
> Discussion List <public at cabforum.org>
> *Cc:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] Re: [Cscwg-public] [cabfpub] Code signing and 
> Time stamping
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know 
> the content is safe.
>
> ------------------------------------------------------------------------
>
> Just a few thoughts to move this conversation forward, and speaking as 
> a CSCWG interested party and not to advocate any position of Mozilla, 
> I think the answer depends on how strict or flexible the CABF wants to 
> be as an organization when it comes to interpreting the scope of a 
> working group charter.
>
> It seems that the mention of time stamping in a code signing work 
> product would be allowed even under a strict interpretation.  While 
> creating standards for issuing and managing time stamping certificates 
> would certainly be out of scope with a flexible interpretation.
>
> The Scope in the Charter does not expressly include or exclude the 
> assignment of a time stamping OID for time stamping certificates.
>
> https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope 
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fcabforum.org%2F2019%2F03%2F26%2Fcode-signing-certificate-wg-charter%2F*1-Scope__%3BIw!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-Y764wXA%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087360682%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=On%2FYLtGShUwaWS%2FOYXT0aqM7HYc7PBpRLxglLEMhWN0%3D&reserved=0>
>
> Included in the scope is "Version 1.0 Draft of November 19, 2015, 
> Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted Code Signing Certificates (subject to the CSCWG 
> making a written finding that the provenance of such document is 
> sufficiently covered by the Forum’s IPR Policy)."  Time stamping was 
> discussed in that draft, and I recall that the CSCWG did make the 
> required written finding of provenance.  Is the assignment of a 
> timestamping OID a logical outcome of the continued work on that 
> earlier document?
>
> Ben
>
> On Mon, Apr 19, 2021 at 2:31 PM Dean Coclin via Public 
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>     A discussion on last week’s CA/B call about code signing and time
>     stamping brought up a question as to whether the latter was in
>     scope of the CSCWG charter
>     (https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fcabforum.org%2F2019%2F03%2F26%2Fcode-signing-certificate-wg-charter%2F__%3B!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-wNVdJJQ%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087370641%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hife2VbpDtPAJlkwyMrVvFS%2Btf3CL78iZCa7Ah6iACk%3D&reserved=0>).
>
>
>     Bruce said there was no CP OID for time stamping and that the
>     group wanted to create one IAW with the CA/B Forum registry. Ryan
>     was concerned that this was outside the CSCWG charter as it was
>     not specifically mentioned therein. Dimitris commented that it was
>     included in charter scope 1a which pulls in the EV CS guidelines
>     where time stamping is specified. Ryan did not seem convinced and
>     asked that the discussion continue on the list.
>
>     The working group has not had a chance to discuss this since the
>     Forum meeting but plans to do so on the next call.
>
>     I’ve included the CS Public list on this thread since the topic is
>     of interest to members/observers there. If a respondent does not
>     have posting rights, I can re-post for them.
>
>     Dean
>
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://lists.cabforum.org/mailman/listinfo/public
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fpublic__%3B!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-PBR_9ZU%24&data=04%7C01%7C%7C427335acc5eb4722c34408d908b5c6ea%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637550399087370641%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XkyrmSZpATznL0Ry%2Bs8TxfVdsrosYWJPcmJaZnLRydo%3D&reserved=0>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20210429/a623dd50/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/public/attachments/20210429/a623dd50/attachment-0001.p7s>