Skip to Content.
Sympa Menu

cacert-devel - Fwd: Re: Timestamp services (RFC3161 and/or Authenticode)

Subject: CAcert Code Development list.

List archive

Fwd: Re: Timestamp services (RFC3161 and/or Authenticode)

Chronological Thread 
  • From: Ian G <iang AT>
  • To: "CAcert Code Development list." <cacert-devel AT>
  • Subject: Fwd: Re: Timestamp services (RFC3161 and/or Authenticode)
  • Date: Tue, 30 Aug 2011 19:50:27 +1000
  • Authentication-results:; dkim=pass (1024-bit key) header.i= AT; dkim-asp=none

I guess we don't do either?

-------- Original Message --------
Subject: Re: Timestamp services (RFC3161 and/or Authenticode)
Date: Tue, 30 Aug 2011 09:34:38 +0100
From: Rob Stradling 
<rob.stradling AT>
dev-security-policy AT
CC: MozPol <mozilla-dev-security-policy AT>, Kyle Hamilton <aerowolf AT>

On Tuesday 30 Aug 2011 02:45:00 Kyle Hamilton wrote:

There are two competing time stamp formats (that I can find).  These are
Authenticode and RFC3161.

I would like to learn which CAs offer time stamp services, whether they
offer Authenticode, RFC3161, or both, and their pricing.

Hi Kyle.

Microsoft require all Code Signing CAs in the Microsoft Root Certificate
Program to "operate a timestamp server authority (TSA) in conjunction with
their code signing service, and as a best practice request that Subscribers
timestamp the digital signature after signing their code. Effective no later
than October 31, 2011, the TSA must comply with RFC 3161" [1]

So I'm expecting to see more CAs offering RFC3161 services in the near future.

The Windows 7 implementation of Authenticode still supports Microsoft's legacy
PKCS#7 countersignature timestamping [2], but it also introduces support for
RFC3161 timestamping [3].

[1] I understand that all of the affected CAs have been privately informed, but
I've not seen this requirement published anywhere on Microsoft's website yet.


(signtool's "/tr" and "/td" flags)

StartCom offers RFC3161.
Verisign offers Authenticode.
Comodo offers Authenticode.

Actually, we offer both:

There are many other CAs in existence, though, and I'd like to get a sense
of the landscape to see what I can realistically develop an application to

Thank you for your time.

-Kyle H

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list
dev-security-policy AT

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Archive powered by MHonArc 2.6.16.

Top of Page