Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Timestamp services (RFC3161 and/or Authenticode)

2,413 views
Skip to first unread message

Kyle Hamilton

unread,
Aug 29, 2011, 9:45:00 PM8/29/11
to MozPol
All,

There are two competing time stamp formats (that I can find). These are Authenticode and RFC3161.

I would like to learn which CAs offer time stamp services, whether they offer Authenticode, RFC3161, or both, and their pricing.

StartCom offers RFC3161.
Verisign offers Authenticode.
Comodo offers Authenticode.

There are many other CAs in existence, though, and I'd like to get a sense of the landscape to see what I can realistically develop an application to consume.

Thank you for your time.

-Kyle H

Rob Stradling

unread,
Aug 30, 2011, 4:34:38 AM8/30/11
to dev-secur...@lists.mozilla.org, MozPol, Kyle Hamilton
On Tuesday 30 Aug 2011 02:45:00 Kyle Hamilton wrote:
> All,
>
> There are two competing time stamp formats (that I can find). These are
> Authenticode and RFC3161.
>
> I would like to learn which CAs offer time stamp services, whether they
> offer Authenticode, RFC3161, or both, and their pricing.

Hi Kyle.

Microsoft require all Code Signing CAs in the Microsoft Root Certificate
Program to "operate a timestamp server authority (TSA) in conjunction with
their code signing service, and as a best practice request that Subscribers
timestamp the digital signature after signing their code. Effective no later
than October 31, 2011, the TSA must comply with RFC 3161" [1]

So I'm expecting to see more CAs offering RFC3161 services in the near future.

The Windows 7 implementation of Authenticode still supports Microsoft's legacy
PKCS#7 countersignature timestamping [2], but it also introduces support for
RFC3161 timestamping [3].

[1] I understand that all of the affected CAs have been privately informed, but
I've not seen this requirement published anywhere on Microsoft's website yet.

[2] http://msdn.microsoft.com/en-us/library/bb931395%28v=vs.85%29.aspx

[3] http://msdn.microsoft.com/en-us/library/aa387764%28v=vs.85%29.aspx
(signtool's "/tr" and "/td" flags)

> StartCom offers RFC3161.
> Verisign offers Authenticode.
> Comodo offers Authenticode.

Actually, we offer both:
http://timestamp.comodoca.com/authenticode
http://timestamp.comodoca.com/rfc3161

> There are many other CAs in existence, though, and I'd like to get a sense
> of the landscape to see what I can realistically develop an application to
> consume.
>
> Thank you for your time.
>
> -Kyle H

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Rob Stradling

unread,
Aug 30, 2011, 4:34:38 AM8/30/11
to dev-secur...@lists.mozilla.org, MozPol, Kyle Hamilton
0 new messages