<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.m-5396181029314660276paragraph, li.m-5396181029314660276paragraph, div.m-5396181029314660276paragraph
{mso-style-name:m_-5396181029314660276paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.m-5396181029314660276normaltextrun
{mso-style-name:m_-5396181029314660276normaltextrun;}
span.m-5396181029314660276eop
{mso-style-name:m_-5396181029314660276eop;}
span.m-5396181029314660276scxw53035567
{mso-style-name:m_-5396181029314660276scxw53035567;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.normaltextrun
{mso-style-name:normaltextrun;}
span.eop
{mso-style-name:eop;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=paragraph style='vertical-align:baseline'><span class=normaltextrun>Hello Aaron, </span><span class=eop> </span><o:p></o:p></p><p class=paragraph style='vertical-align:baseline'><span class=normaltextrun>Thank you for your comments and consideration. We agree that the use of the phrase “such as” may not be interpreted as intended. Therefore, we have replaced it with “including, but not limited to....”</span><span class=eop> </span><o:p></o:p></p><p class=paragraph style='vertical-align:baseline'><span class=normaltextrun>As for a summary of the ROCA vulnerability, you may check either the </span><a href="https://en.wikipedia.org/wiki/ROCA_vulnerability" target="_blank"><span class=normaltextrun><span style='color:#0563C1'>Wikipedia page</span></span></a><span class=normaltextrun> or the </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15361" target="_blank"><span class=normaltextrun><span style='color:#0563C1'>NIST summary</span></span></a><span class=normaltextrun> for more details about the issue. If you have questions after reviewing those sources, we would be happy to help find the answers. </span><span class=eop> </span><o:p></o:p></p><p class=paragraph style='vertical-align:baseline'><span class=normaltextrun>Finally, regarding the phrasing of the Close Primes Vulnerability, we used the phrase “weak keys identified within 100 rounds using Fermat’s factorization method,“ to stress the importance that the CA actually perform the computations to discover such weak keys. </span><span class=eop> </span><o:p></o:p></p><p class=paragraph style='vertical-align:baseline'><span class=normaltextrun>I hope that this sufficiently addresses your concerns. Please let me know if we may provide additional clarity on the ballot. </span><span class=eop> </span><o:p></o:p></p><p class=paragraph style='vertical-align:baseline'><span class=normaltextrun>Best regards,</span><span class=eop> </span><o:p></o:p></p><p class=MsoNormal>Tom<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Aaron Gable <aaron@letsencrypt.org> <br><b>Sent:</b> Thursday, May 25, 2023 5:00 PM<br><b>To:</b> Tom Zermeno <tom@ssl.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject:</b> Re: [Servercert-wg] SC-59 Weak Key Guidance<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 align=left width="100%" style='width:100.0%'><tr><td style='background:#A6A6A6;padding:5.25pt 1.5pt 5.25pt 1.5pt'></td><td width="100%" style='width:100.0%;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 11.25pt'><div><p class=MsoNormal style='mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly'><span style='font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#212121'>You don't often get email from <a href="mailto:aaron@letsencrypt.org">aaron@letsencrypt.org</a>. <a href="https://aka.ms/LearnAboutSenderIdentification">Learn why this is important</a><o:p></o:p></span></p></div></td><td width=75 style='width:56.25pt;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 3.75pt;align:left'></td></tr></table><div><div><p class=MsoNormal>Hi Tom, <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As long as we're going to have weak keys language at all, I'm definitely in favor of making it crystal clear. I have a few small editorial questions/comments about the current ballot text:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- In Section 4.9.1.1 (4), have we considered replacing "such as those identified..." with "including but not limited to those identified..."? I fear that the continued use of "such as" retains too much possibility of people still interpreting it as an exhaustive list, rather than a list of examples.<o:p></o:p></p></div><div><p class=MsoNormal>- Is there not a helpful explainer page for the ROCA vulnerability, like there is for debian weak keys and close primes?<o:p></o:p></p></div><div><p class=MsoNormal>- For the close primes vulnerability, I'd suggest phrasing it as "the CA SHALL reject keys which can be factored using 100 rounds of Fermat's factorization method". The currently proposed phrasing uses which-elision: "the CA SHALL reject weak keys *which are* identified within..." But saying "which are" is actually wrong: we want to say "which *can be*" or "which *would* be"; those phrases are not elided nearly as often in English, so I'd argue that the current phrasing is slightly confusing. Hence my slightly re-ordered proposal.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Aaron<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Thu, May 25, 2023 at 12:51 PM Tom Zermeno via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><div><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun>Purpose of Ballot SC-059 V3</span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun>Several events within the community have led to concerns that the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (BRs) lacked a specificity required to properly guide CAs on matters dealing with the identification and processing of digital certificates based on private keys considered weak, or easy to ascertain. In the hopes that elaboration and clarity on the subject would be beneficial to the community, we are presenting updates to §4.9.1.1(“Reasons for Revoking a Subscriber Certificate) and §6.1.1.3 (Subscriber Key Pair Generation) of the BRs.</span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun>The first update is to §4.9.1.1 and is made to expand the scope of easily computable Private Keys from “Debian weak keys” to “those listed in section 6.1.1.3(5)”. While the initial language in the BRs did not exclude other concerns, the use of a single example could be interpreted to mean that other easily computable Private Keys are few and far between. The next update was to §6.1.1.3(5), wherein we added specific actions to be taken for ROCA vulnerability, Debian weak keys - both RSA and ECDSA – and Close Primes vulnerability. We also added a link to suggested tools to be used for checking weak keys. Finally, an implementation date of December 1, 2023 was added to allow CAs time to update processes to meet the requirements. </span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun><span style='color:black'>The following motion has been proposed by Thomas Zermeno of SSL.com and endorsed by Ben Wilson of Mozilla and Martijn Katerbarg of Sectigo.</span></span><span class=m-5396181029314660276eop><span style='color:black'> </span></span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun>--Motion Begins—</span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun><span style='font-size:12.0pt;color:black'>This ballot is intended to clarify CA responsibilities regarding weak key vulnerabilities, including specific guidance for Debian weak key, ROCA and Close Primes attack vulnerabilities, and modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 2.0.0. </span></span><span class=m-5396181029314660276scxw53035567><span style='font-size:12.0pt;color:black'> </span></span><span style='font-size:12.0pt;color:black'><br><span class=m-5396181029314660276scxw53035567> </span><br><span class=m-5396181029314660276normaltextrun>Notes: Upon beginning discussion for SC-59, the then-current version of the BRs was 1.8.4; since that time several ballots have been approved, leading to the increment of the version to 1.8.7 and eventually 2.0.0, which is the latest approved version of the BRs. The changes introduced in SC-59 do not conflict with any of the recent ballots. As observed with other ballots in the past, minor administrative updates must be made to the proposed ballot text before publication such that the appropriate Version # and Change History are accurately represented (e.g., to indicate these changes will be represented in Version 2.0.1).</span><span class=m-5396181029314660276eop> </span></span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun> </span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun><span style='color:black'>MODIFY the Baseline Requirements as specified in the following Redline: </span></span><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00" target="_blank"><span class=m-5396181029314660276normaltextrun><span style='color:black'>https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00</span></span></a><span class=m-5396181029314660276eop><span style='color:black'> </span></span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun> </span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun>--Motion Ends—</span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun>This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=m-5396181029314660276paragraph style='vertical-align:baseline'><span class=m-5396181029314660276normaltextrun>Discussion (11+ days) • Start time: 2023-05-25 19:00:00 UTC • End time: 2023-06-08 18:59:00 UTC</span><span class=m-5396181029314660276scxw53035567> </span><br><span class=m-5396181029314660276normaltextrun>Vote for approval (7 days) • Start time: TBD • End time: TBD</span><span class=m-5396181029314660276eop> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><p class=MsoNormal>_______________________________________________<br>Servercert-wg mailing list<br><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></p></div></blockquote></div></div></div></body></html>