Skip to content

Overlapping requirements for data retention period of revoked Code Signing Certificates #33

New issue
New issue
Open
Open
Overlapping requirements for data retention period of revoked Code Signing Certificates#33
Labels
good first issueGood for newcomers
@dzacharo

Description

@dzacharo
dzacharo
opened on Jan 16, 2024

According to the CSBRs

  • Section 7.2: "The serial number of a revoked Certificate MUST remain on the CRL for at least 10 years after the expiration of the Certificate"
  • Section 5.4.3 "The CA, Delegated Third Parties, and Timestamp Authority MUST retain, for at least two (2) years"...
  • Section 5.4.3 (2): "Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1.2)(2) after the revocation or expiration of the Subscriber Certificate;"
  • Similarly for 5.5.2.

Based on section 7.2 a CA must keep a revoked Subscriber Certificate's serial number on the CRL for at least 10 years after the expiration of the Certificate, and of course it must be able to justify why a serial number exists in a CRL.

Effectively, this means that logs for revoked Code Signing Certificates must be retained for 10 years + the validity of the certificate (the maximum validity is currently 39 months).

IMO, we need to make this clear in sections 5.4 and 5.5.

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomers

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions