Skip to content

Commit

Permalink
Merge pull request #731 from oasis-tcs/master
Browse files Browse the repository at this point in the history
Merge Master back in editor-revision-2024-04-24
  • Loading branch information
tschmidtb51 authored May 22, 2024
2 parents 8b17fcd + 5ddc27e commit 91153d4
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions csaf_2.0/guidance/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,15 @@ Starting with version CSAF 2.1, [CSAF will support TLP v2](https://github.com/oa

CSAF lister and CSAF aggregator choose on their own which producing parties they add to their lists. Please reach out to the CSAF lister or CSAF aggregator in question. Their contact details are available in the metadata of the list.

### How long should signatures of CSAF documents be valid?

At all times, signatures MUST remain valid for a minimum of 30 days and ideally for at least 90 days. When executing CSAF document signatures, the signing party SHOULD adhere to or surpass the prevailing best practices and recommendations regarding key length.
Tools SHOULD treat the violation of the rules given in the first sentence as:

* warning if the signature is only valid for 90 days or less at the time of the verification,
* error, which MAY be ignored by the user per option, if the signature is only valid for 30 days or less at the time of the verification and
* error if the signature is expired at the time of the verification.

### I want to use a Content Delivery Network (CDN) to distribute CSAF files. What do I need to consider?

Please see our advise on [CDNs](./cdn.md).
Expand Down

0 comments on commit 91153d4

Please sign in to comment.