From 77935f1b9842b63b90b6c292bd6866800503a3a8 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 23 Apr 2024 23:37:52 +0200 Subject: [PATCH 1/4] Signatures - addresses parts of oasis-tcs/csaf#678 - add FAQ on signing --- csaf_2.0/guidance/faq.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/csaf_2.0/guidance/faq.md b/csaf_2.0/guidance/faq.md index 105efa31..1749f429 100644 --- a/csaf_2.0/guidance/faq.md +++ b/csaf_2.0/guidance/faq.md @@ -48,6 +48,10 @@ Starting with version CSAF 2.1, [CSAF will support TLP v2](https://github.com/oa CSAF lister and CSAF aggregator choose on their own which producing parties they add to their lists. Please reach out to the CSAF lister or CSAF aggregator in question. Their contact details are available in the metadata of the list. +### How long should signatures of CSAF documents be valid? + +At any given point in time, signatures MUST be valid for 30 more days and SHOULD be valid for at least 90 more days. When signing CSAF documents, the signing party SHOULD comply with or exceed current best practices and guidance on key length. + ### I want to use a Content Delivery Network (CDN) to distribute CSAF files. What do I need to consider? Please see our advise on [CDNs](./cdn.md). From 85e2b343c75041cc045761ef0fab5b7536f50610 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Tue, 23 Apr 2024 23:45:04 +0200 Subject: [PATCH 2/4] Signatures - addresses parts of oasis-tcs/csaf#678 - provide tool guidance --- csaf_2.0/guidance/faq.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/csaf_2.0/guidance/faq.md b/csaf_2.0/guidance/faq.md index 1749f429..18f85c5a 100644 --- a/csaf_2.0/guidance/faq.md +++ b/csaf_2.0/guidance/faq.md @@ -51,6 +51,11 @@ CSAF lister and CSAF aggregator choose on their own which producing parties they ### How long should signatures of CSAF documents be valid? At any given point in time, signatures MUST be valid for 30 more days and SHOULD be valid for at least 90 more days. When signing CSAF documents, the signing party SHOULD comply with or exceed current best practices and guidance on key length. +Tools SHOULD treat the violation of the rules given in the first sentence as: + +* warning if the signature is only valid for 90 days or less at the time of the check, +* error, which MAY be ignored by the user per option, if the signature is only valid for 30 days or less at the time of the check and +* error if the signature is expired at the time of the check. ### I want to use a Content Delivery Network (CDN) to distribute CSAF files. What do I need to consider? From 2625bd3f62a1fbbf7db325a7febc2bc2eeb7e6d0 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 24 Apr 2024 18:01:45 +0200 Subject: [PATCH 3/4] Signatures - addresses feedback of oasis-tcs/csaf#724 - improve wording for readability Co-authored-by: Omar Santos --- csaf_2.0/guidance/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csaf_2.0/guidance/faq.md b/csaf_2.0/guidance/faq.md index 18f85c5a..66d0367c 100644 --- a/csaf_2.0/guidance/faq.md +++ b/csaf_2.0/guidance/faq.md @@ -50,7 +50,7 @@ CSAF lister and CSAF aggregator choose on their own which producing parties they ### How long should signatures of CSAF documents be valid? -At any given point in time, signatures MUST be valid for 30 more days and SHOULD be valid for at least 90 more days. When signing CSAF documents, the signing party SHOULD comply with or exceed current best practices and guidance on key length. +At all times, signatures MUST remain valid for a minimum of 30 days and ideally for at least 90 days. When executing CSAF document signatures, the signing party SHOULD adhere to or surpass the prevailing best practices and recommendations regarding key length. Tools SHOULD treat the violation of the rules given in the first sentence as: * warning if the signature is only valid for 90 days or less at the time of the check, From eae98688c75fb33a353ff2ac6025583655dee70e Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Wed, 24 Apr 2024 18:05:05 +0200 Subject: [PATCH 4/4] Signatures - addresses feedback of oasis-tcs/csaf#724 - change "check" to "verification" Co-authored-by: Stefan Hagen --- csaf_2.0/guidance/faq.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/csaf_2.0/guidance/faq.md b/csaf_2.0/guidance/faq.md index 66d0367c..3bc3d24c 100644 --- a/csaf_2.0/guidance/faq.md +++ b/csaf_2.0/guidance/faq.md @@ -53,9 +53,9 @@ CSAF lister and CSAF aggregator choose on their own which producing parties they At all times, signatures MUST remain valid for a minimum of 30 days and ideally for at least 90 days. When executing CSAF document signatures, the signing party SHOULD adhere to or surpass the prevailing best practices and recommendations regarding key length. Tools SHOULD treat the violation of the rules given in the first sentence as: -* warning if the signature is only valid for 90 days or less at the time of the check, -* error, which MAY be ignored by the user per option, if the signature is only valid for 30 days or less at the time of the check and -* error if the signature is expired at the time of the check. +* warning if the signature is only valid for 90 days or less at the time of the verification, +* error, which MAY be ignored by the user per option, if the signature is only valid for 30 days or less at the time of the verification and +* error if the signature is expired at the time of the verification. ### I want to use a Content Delivery Network (CDN) to distribute CSAF files. What do I need to consider?