Re: [pkix] Requesting information on Time stamp authority certificate expiry.

Koichi Sugimoto <koichi.sugimoto@globalsign.com> Fri, 05 January 2018 03:01 UTC

Return-Path: <koichi.sugimoto@globalsign.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDAEC1242EA for <pkix@ietfa.amsl.com>; Thu, 4 Jan 2018 19:01:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=globalsign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-xL0Ylf3BLX for <pkix@ietfa.amsl.com>; Thu, 4 Jan 2018 19:01:18 -0800 (PST)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0118.outbound.protection.outlook.com [104.47.126.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A0C1200F3 for <pkix@ietf.org>; Thu, 4 Jan 2018 19:01:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xq79Xxo+7K/LF9gliltGio6jZ+0Q1B9HWNig/4VMUwg=; b=K3ACGdSYHaPAaqusjJoFWDPYlWUcWwutUoWjT4KbNEXtoAqVO2VHvbJuopSttkoXxWpm5gFv15xpU9hLzvsaNS6X8cg9XV2dZK6+cu2KYSREeca7mpz0jZ33uTzZps3OOdCNUalV4vdqe3HC5n/Yo9MEpzpqz4jCDTJx9HgtXtM=
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com (10.169.54.19) by SG2PR03MB1551.apcprd03.prod.outlook.com (10.169.55.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.407.1; Fri, 5 Jan 2018 03:01:12 +0000
Received: from SG2PR03MB1421.apcprd03.prod.outlook.com ([fe80::e85f:128a:3cd5:a24f]) by SG2PR03MB1421.apcprd03.prod.outlook.com ([fe80::e85f:128a:3cd5:a24f%2]) with mapi id 15.20.0407.000; Fri, 5 Jan 2018 03:01:11 +0000
From: Koichi Sugimoto <koichi.sugimoto@globalsign.com>
To: Anoop Gulati <anoopgulati@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Requesting information on Time stamp authority certificate expiry.
Thread-Index: AQHThYkLGu7iHyhXSUuT7BmYkBahzaNklG3A
Date: Fri, 5 Jan 2018 03:01:11 +0000
Message-ID: <SG2PR03MB1421B4ADB9DFBDE7359AAA8F9D1C0@SG2PR03MB1421.apcprd03.prod.outlook.com>
References: <CAEZbcisdn226uNoG4NVv8R3rGPz7A=2PVCPR7nRbiM7Zi-UBhw@mail.gmail.com>
In-Reply-To: <CAEZbcisdn226uNoG4NVv8R3rGPz7A=2PVCPR7nRbiM7Zi-UBhw@mail.gmail.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=koichi.sugimoto@globalsign.com;
x-originating-ip: [27.121.42.217]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SG2PR03MB1551; 7:h8bGBNJm3PXBDEf4Nu3QBX+xjRhUbkS1xfH8LFrgJsWZebcx8/Cv9WcNrKAPuzqolalhF2+HmeJkQtfFeYpo3S7ISGSRhPcG6eXsSUwDK8AqY4b0hR3n7pUKgAQ9hWkuqMaHbXHBNBujEFJrgpSYtfG0dSaE/JL+QL4zoaLh929VpLxPcIo4bLUVeVrahMEDuneTBWj4vaVGHBcAJUXS62ODU+doX7v5GPAWY4NJOSzkZJtjVYass3BtUCXTT5KN
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: e919a47a-4ca7-42b3-0759-08d553e893c9
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060); SRVR:SG2PR03MB1551;
x-ms-traffictypediagnostic: SG2PR03MB1551:
x-microsoft-antispam-prvs: <SG2PR03MB15510129830481541588BE199D1C0@SG2PR03MB1551.apcprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231023)(944501075)(93006095)(93001095)(6041268)(20161123562045)(20161123558120)(20161123564045)(201703131423095)(201703011903075)(201702281528075)(20161123555045)(201703061421075)(20161123560045)(6072148)(201708071742011); SRVR:SG2PR03MB1551; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SG2PR03MB1551;
x-forefront-prvs: 05437568AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7966004)(39380400002)(39860400002)(396003)(366004)(376002)(346002)(189003)(199004)(2950100002)(74316002)(3660700001)(106356001)(6116002)(68736007)(9686003)(86362001)(6306002)(59450400001)(33656002)(3846002)(76176011)(3280700002)(966005)(6506007)(25786009)(55016002)(606006)(66066001)(316002)(2501003)(229853002)(97736004)(5660300001)(53546011)(7696005)(14454004)(99286004)(2906002)(105586002)(2900100001)(6246003)(53936002)(236005)(508600001)(7736002)(8676002)(8936002)(54896002)(6436002)(39060400002)(102836004)(81166006)(5250100002)(110136005)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:SG2PR03MB1551; H:SG2PR03MB1421.apcprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: globalsign.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: r50tiSMEGNGSWojTzakY5Z2IFwai8CZ0+YlUBVRT6hvskBA9mUM6koLZ/u6O0bumnkSIB7CdbAaAlClm6TT0UA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SG2PR03MB1421B4ADB9DFBDE7359AAA8F9D1C0SG2PR03MB1421apcp_"
MIME-Version: 1.0
X-OriginatorOrg: globalsign.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e919a47a-4ca7-42b3-0759-08d553e893c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2018 03:01:11.8642 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8fff67c1-8281-4635-b62f-93106cb7a9a8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR03MB1551
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/9laig2h99zJmAcM5A1AEJIsg3j8>
Subject: Re: [pkix] Requesting information on Time stamp authority certificate expiry.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 03:01:21 -0000

Hello & Happy New Year,

This problem also relates to code signing.
As specified in “Minimum Requirements for Code Signing Certificates” managed by CSCA, revocation of code signing certificates also affects to the signed objects.
SEE: https://casecurity.org/2016/07/20/minimum-requirements-for-code-signing-certificates/
But AFAIK, such behavior has not explained in this working group as well.


Regards,
Koichi Sugimoto.

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Anoop Gulati
Sent: Friday, January 5, 2018 3:22 AM
To: pkix@ietf.org
Subject: [pkix] Requesting information on Time stamp authority certificate expiry.

Hi Team,
Happy 2018!

I'm requesting some clarification on the status of a timestamped signature when the timestamp authority (TSA) certificate expires.
My understanding is timestamp is applied to a digital signature to ensure the digital signature continues to stay valid past the lifetime of the signing certificate.
RFC 3161, in section 4.3 briefly talks about TSA certificate lifetimes but it does not clarify the situation of a natural TSA certificate expiry.

We recently experienced an enterprise-wide outage when java started to error out on a signed & timestamped jar file when the TSA certificate expired.
Windows, on the other hand does not error out on signed & timestamped files on TSA certificate expiry.

So, it seems like, even implementation between platforms is not consistent.
Hence I'm writing to understand how expiry of a TSA certificate impacts existing signed and timestamped files.
Sincere apologies in advance if this is not the right platform to discuss this, I was not able to find a working group specifically for digital timestamp & TSAs.

Thanks,

Anoop