From e4535e8347c43402b5277724db4d9741c35af032 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Thu, 25 Apr 2024 00:31:15 +0200
Subject: [PATCH] Signatures

- addresses parts of oasis-tcs/csaf#678
- add guidance on signing regarding minimum requirement of still valid for 30 days
- add tool guidance
---
 csaf_2.1/prose/edit/src/distributing.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 2436749f..2a9c2f06 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -419,6 +419,16 @@ File name of signature file: esa-2022-02723.json.asc
 
 If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
 
+At all times, signatures MUST remain valid for a minimum of 30 days and ideally for at least 90 days. When executing
+CSAF document signatures, the signing party SHOULD adhere to or surpass the prevailing best practices and recommendations
+regarding key length.
+Tools SHOULD treat the violation of the rules given in the first sentence as:
+
+* warning if the signature is only valid for 90 days or less at the time of the verification,
+* error, which MAY be ignored by the user per option, if the signature is only valid for 30 days or less at the time of
+  the verification and
+* error if the signature is expired at the time of the verification.
+
 ### Requirement 20: Public OpenPGP Key
 
 The public part of the OpenPGP key used to sign the CSAF documents MUST be available.