Skip to Content.
Sympa Menu

cacert-devel - Fwd: Re: Timestamp services (RFC3161 and/or Authenticode)

Subject: CAcert Code Development list.

List archive

Fwd: Re: Timestamp services (RFC3161 and/or Authenticode)


Chronological Thread 
  • From: Ian G <iang AT cacert.org>
  • To: "CAcert Code Development list." <cacert-devel AT lists.cacert.org>
  • Subject: Fwd: Re: Timestamp services (RFC3161 and/or Authenticode)
  • Date: Tue, 30 Aug 2011 19:50:27 +1000
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none

I guess we don't do either?



-------- Original Message --------
Subject: Re: Timestamp services (RFC3161 and/or Authenticode)
Date: Tue, 30 Aug 2011 09:34:38 +0100
From: Rob Stradling 
<rob.stradling AT comodo.com>
To: 
dev-security-policy AT lists.mozilla.org
CC: MozPol <mozilla-dev-security-policy AT lists.mozilla.org>, Kyle Hamilton <aerowolf AT gmail.com>

On Tuesday 30 Aug 2011 02:45:00 Kyle Hamilton wrote:
All,

There are two competing time stamp formats (that I can find).  These are
Authenticode and RFC3161.

I would like to learn which CAs offer time stamp services, whether they
offer Authenticode, RFC3161, or both, and their pricing.

Hi Kyle.

Microsoft require all Code Signing CAs in the Microsoft Root Certificate
Program to "operate a timestamp server authority (TSA) in conjunction with
their code signing service, and as a best practice request that Subscribers
timestamp the digital signature after signing their code. Effective no later
than October 31, 2011, the TSA must comply with RFC 3161" [1]

So I'm expecting to see more CAs offering RFC3161 services in the near future.

The Windows 7 implementation of Authenticode still supports Microsoft's legacy
PKCS#7 countersignature timestamping [2], but it also introduces support for
RFC3161 timestamping [3].

[1] I understand that all of the affected CAs have been privately informed, but
I've not seen this requirement published anywhere on Microsoft's website yet.

[2] http://msdn.microsoft.com/en-us/library/bb931395%28v=vs.85%29.aspx

[3] http://msdn.microsoft.com/en-us/library/aa387764%28v=vs.85%29.aspx
(signtool's "/tr" and "/td" flags)

StartCom offers RFC3161.
Verisign offers Authenticode.
Comodo offers Authenticode.

Actually, we offer both:
http://timestamp.comodoca.com/authenticode
http://timestamp.comodoca.com/rfc3161

There are many other CAs in existence, though, and I'd like to get a sense
of the landscape to see what I can realistically develop an application to
consume.

Thank you for your time.

-Kyle H

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy AT lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page