Merge pull request #729 from tschmidtb51/csaf-2.1-valid-signatures

Signatures (CSAF 2.1)
oasis-tcs · May 12, 2024 · 8b17fcd · 8b17fcd
2 parents 15e6143 + e4535e8
commit 8b17fcd
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
@@ -419,6 +419,16 @@ File name of signature file: esa-2022-02723.json.asc
 
 If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
 
+At all times, signatures MUST remain valid for a minimum of 30 days and ideally for at least 90 days. When executing
+CSAF document signatures, the signing party SHOULD adhere to or surpass the prevailing best practices and recommendations
+regarding key length.
+Tools SHOULD treat the violation of the rules given in the first sentence as:
+
+* warning if the signature is only valid for 90 days or less at the time of the verification,
+* error, which MAY be ignored by the user per option, if the signature is only valid for 30 days or less at the time of
+  the verification and
+* error if the signature is expired at the time of the verification.
+
 ### Requirement 20: Public OpenPGP Key
 
 The public part of the OpenPGP key used to sign the CSAF documents MUST be available.