Re: [cabfpub] [EXTERNAL] Re: [Cscwg-public] Code signing and Time stamping
a code signing certificate as well, so it's
in scope", because that logic could also say "Well, code is delivered via
TLS, and the certificate is used to sign the TLS handshake transcript, so
in a way, a TLS certificate is a code signing certificate".
While we're sympathetic to understand the role that timestamping can play
within code signing, particularly with respect to validation and the
operation of revocation services, we're interested in finding a workable
path forward here, but we want to make sure we've got a clear understanding
of the scope that participants have agreed upon, to ensure we don't create
a situation that is going to further creep in scope.
On Mon, Apr 26, 2021 at 9:18 AM Bruce Morton via Public
wrote:
> To follow up, the CSCWG charter includes the following documents:
>
> a. EV Code Signing Guidelines, v. 1.4 and subsequent versions
>
> b. Version 1.0 Draft of November 19, 2015, Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Code Signing Certificates
> (subject to the CSCWG making a written finding that the provenance of such
> document is sufficiently covered by the Forum’s IPR Policy)
>
>
>
> The documents define requirements or reference: timestamp authority (TSA),
> timestamps, timestamp implementation method, timestamp certificate,
> timestamp signed objects, TSA logging, and timestamp key protection. The
> documents also define the certificate profiles for timestamp root,
> timestamp subordinate CA and timestamp authority. As such, the CSCWG has
> considered it is in scope to manage these documents and the requirements
> associated to allow timestamp signatures with code signed using
> certificates conforming to the CSBRs.
>
>
>
> The CSBRs also state, “CAs complying with these Requirements MAY also
> assert the reserved policy OIDs in such Certificates.” The reserved policy
> OIDs reference those required for Non-EV and EV code signing certificates.
> The CSBRs do not reference an OID for a timestamp certificate, since the
> OID has not been reserved. It is also considered appropriate to use all
> applicable reserved certificate policy OIDs as we consider deploying
> dedicated PKI hierarchies to support code signing.
>
>
>
> As such, the CSCWG plans to add the following reserved certificate policy
> OID to the CSBRs, which may be included in a timestamp certificate, which
> meets the requirements of the CSBRs:
>
> {joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140)
> certificate-policies(1) code-signing-requirements(4) timestamping(2)}
> (2.23.140.1.4.2)
>
>
>
>
>
> Bruce.
>
>
>
>
>
> *From:* Cscwg-public *On Behalf Of *Ben
> Wilson via Cscwg-public
> *Sent:* Tuesday, April 20, 2021 12:09 PM
> *To:* Dean Coclin ; CA/Browser Forum Public
> Discussion List
> *Cc:* cscwg-pub...@cabforum.org
> *Subject:* [EXTERNAL] Re: [Cscwg-public] [cabfpub] Code signing and Time
> stamping
>
>
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> --
>
> Just a few thoughts to move this conversation forward, and speaking as a
> CSCWG interested party and not to advocate any position of Mozilla, I think
> the answer depends on how strict or flexible the CABF wants to be as an
> organization when it comes to interpreting the scope of a working group
> charter.
>
>
>
> It seems that the mention of time stamping in a code signing work product
> would be allowed even under a strict interpretation. While creating
> standards for issuing and managing time stamping certificates would
> certainly be out of scope with a flexible interpretation.
>
>
>
> The Scope in the Charter does not expressly include or exclude the
> assignment of a time stamping OID for time stamping certificates.
>
>
> https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope
> <https://urldefense.com/v3/__https:/cabforum.org/2019/03/26/code-signing-certificate-wg-charter/*1-Scope__;Iw!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-Y764wXA$>
>
>
>
> Included in the scope is "Version 1.0 Draft of November 19, 2015, Baseline
> Requirements for the Issuance and Management of Publicly-Trusted Code
> Signing Certificates (subject to the CSCWG making a written finding that
> the provenance of such document is sufficiently covered by the Forum’s IPR
> Policy)." Time stamping was discussed in that draft, and I recall that the
> CSCWG did make the required written finding of provenance. Is the
> assignment of a timestamping OID a logical outcome of the continued work on
> that earlier do
Re: [cabfpub] [EXTERNAL] Re: [Cscwg-public] Code signing and Time stamping
To follow up, the CSCWG charter includes the following documents:
a. EV Code Signing Guidelines, v. 1.4 and subsequent versions
b. Version 1.0 Draft of November 19, 2015, Baseline Requirements for the
Issuance and Management of Publicly-Trusted Code Signing Certificates (subject
to the CSCWG making a written finding that the provenance of such document is
sufficiently covered by the Forum’s IPR Policy)
The documents define requirements or reference: timestamp authority (TSA),
timestamps, timestamp implementation method, timestamp certificate, timestamp
signed objects, TSA logging, and timestamp key protection. The documents also
define the certificate profiles for timestamp root, timestamp subordinate CA
and timestamp authority. As such, the CSCWG has considered it is in scope to
manage these documents and the requirements associated to allow timestamp
signatures with code signed using certificates conforming to the CSBRs.
The CSBRs also state, “CAs complying with these Requirements MAY also assert
the reserved policy OIDs in such Certificates.” The reserved policy OIDs
reference those required for Non-EV and EV code signing certificates. The CSBRs
do not reference an OID for a timestamp certificate, since the OID has not been
reserved. It is also considered appropriate to use all applicable reserved
certificate policy OIDs as we consider deploying dedicated PKI hierarchies to
support code signing.
As such, the CSCWG plans to add the following reserved certificate policy OID
to the CSBRs, which may be included in a timestamp certificate, which meets the
requirements of the CSBRs:
{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140)
certificate-policies(1) code-signing-requirements(4) timestamping(2)}
(2.23.140.1.4.2)
Bruce.
From: Cscwg-public On Behalf Of Ben Wilson
via Cscwg-public
Sent: Tuesday, April 20, 2021 12:09 PM
To: Dean Coclin ; CA/Browser Forum Public Discussion
List
Cc: cscwg-pub...@cabforum.org
Subject: [EXTERNAL] Re: [Cscwg-public] [cabfpub] Code signing and Time stamping
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.
Just a few thoughts to move this conversation forward, and speaking as a CSCWG
interested party and not to advocate any position of Mozilla, I think the
answer depends on how strict or flexible the CABF wants to be as an
organization when it comes to interpreting the scope of a working group charter.
It seems that the mention of time stamping in a code signing work product would
be allowed even under a strict interpretation. While creating standards for
issuing and managing time stamping certificates would certainly be out of scope
with a flexible interpretation.
The Scope in the Charter does not expressly include or exclude the assignment
of a time stamping OID for time stamping certificates.
https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/#1-Scope<https://urldefense.com/v3/__https:/cabforum.org/2019/03/26/code-signing-certificate-wg-charter/*1-Scope__;Iw!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-Y764wXA$>
Included in the scope is "Version 1.0 Draft of November 19, 2015, Baseline
Requirements for the Issuance and Management of Publicly-Trusted Code Signing
Certificates (subject to the CSCWG making a written finding that the provenance
of such document is sufficiently covered by the Forum’s IPR Policy)." Time
stamping was discussed in that draft, and I recall that the CSCWG did make the
required written finding of provenance. Is the assignment of a timestamping
OID a logical outcome of the continued work on that earlier document?
Ben
On Mon, Apr 19, 2021 at 2:31 PM Dean Coclin via Public
mailto:public@cabforum.org>> wrote:
A discussion on last week’s CA/B call about code signing and time stamping
brought up a question as to whether the latter was in scope of the CSCWG
charter
(https://cabforum.org/2019/03/26/code-signing-certificate-wg-charter/<https://urldefense.com/v3/__https:/cabforum.org/2019/03/26/code-signing-certificate-wg-charter/__;!!FJ-Y8qCqXTj2!KO_2DRjCLlG3XphTaFOKt3DIbyewuzdXb3w04DZftMjNQ74YZEHuLmO13bB-wNVdJJQ$>).
Bruce said there was no CP OID for time stamping and that the group wanted to
create one IAW with the CA/B Forum registry. Ryan was concerned that this was
outside the CSCWG charter as it was not specifically mentioned therein.
Dimitris commented that it was included in charter scope 1a which pulls in the
EV CS guidelines where time stamping is specified. Ryan did not seem convinced
and asked that the discussion continue on the list.
The working group has not had a chance to discuss this since the Forum meeting
but plans to do so on the next call.
I’ve included the CS Public list on this thread since the topic is of interest
to members/observers there. If a resp
