<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Tom,<br>
<br>
Considering that most CAs already <i>should </i>be checking for
Debian weak keys, September 15 2023 might not be such a big
challenge but I will also wait for other Members to comment on the
proposed March 15, 2024 effective date.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 26/5/2023 5:37 μ.μ., Tom Zermeno
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SJ0PR13MB5546DBC27C8BCE1FDAAB0B88AF479@SJ0PR13MB5546.namprd13.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.normaltextrun
{mso-style-name:normaltextrun;}span.eop
{mso-style-name:eop;}span.scxw53035567
{mso-style-name:scxw53035567;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;
mso-ligatures:standardcontextual;}span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello Dimitris,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you for the input. We feel that
September 15<sup>th</sup> does not provide enough time for CAs
to implement these changes, but we are not against the March
15, <sup> </sup>2024 effective date, if there is consensus
from the Community. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tom<o:p></o:p></p>
<p class="MsoNormal">SSL.com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="mso-ligatures:none">From:</span></b><span
style="mso-ligatures:none"> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a> <b>On Behalf
Of </b>Dimitris Zacharopoulos (HARICA) via
Servercert-wg<br>
<b>Sent:</b> Friday, May 26, 2023 1:54 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a><br>
<b>Subject:</b> Re: [Servercert-wg] SC-59 Weak Key
Guidance<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Hi Tom,<br>
<br>
Historically, the SCWG has been trying to avoid effective
dates during January or December. I recommend using September
15, 2023 or March 15, 2024 as possible effective dates. These
two dates seem to be <a
href="https://docs.google.com/presentation/d/1oTGVYqggQpQMR4Lktbu_L6DhuBVJzeuiFGd9EAU1zsE"
moz-do-not-send="true">more favorable</a> than others. <br>
<br>
<br>
Thanks,<br>
Dimitris.<span style="mso-ligatures:none"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 25/5/2023 10:51 μ.μ., Tom Zermeno via
Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">Purpose of Ballot SC-059 V3</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">Several events within the community
have led to concerns that the Baseline Requirements for
the Issuance and Management of Publicly-Trusted
Certificates (BRs) lacked a specificity required to
properly guide CAs on matters dealing with the
identification and processing of digital certificates
based on private keys considered weak, or easy to
ascertain. In the hopes that elaboration and clarity on
the subject would be beneficial to the community, we are
presenting updates to §4.9.1.1(“Reasons for Revoking a
Subscriber Certificate) and §6.1.1.3 (Subscriber Key Pair
Generation) of the BRs.</span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">The first update is to §4.9.1.1 and
is made to expand the scope of easily computable Private
Keys from “Debian weak keys” to “those listed in section
6.1.1.3(5)”. While the initial language in the BRs did
not exclude other concerns, the use of a single example
could be interpreted to mean that other easily computable
Private Keys are few and far between. The next update was
to §6.1.1.3(5), wherein we added specific actions to be
taken for ROCA vulnerability, Debian weak keys - both RSA
and ECDSA – and Close Primes vulnerability. We also added
a link to suggested tools to be used for checking weak
keys. Finally, an implementation date of December 1, 2023
was added to allow CAs time to update processes to meet
the requirements. </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="color:black">The
following motion has been proposed by Thomas Zermeno of
SSL.com and endorsed by Ben Wilson of Mozilla and
Martijn Katerbarg of Sectigo.</span></span><span
class="eop"><span style="color:black"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">--Motion Begins—</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span
style="font-size:12.0pt;color:black">This ballot is
intended to clarify CA responsibilities regarding weak
key vulnerabilities, including specific guidance for
Debian weak key, ROCA and Close Primes attack
vulnerabilities, and modifies the “Baseline Requirements
for the Issuance and Management of Publicly-Trusted
Certificates” as follows, based on Version 2.0.0. </span></span><span
class="scxw53035567"><span
style="font-size:12.0pt;color:black"> </span></span><span
style="font-size:12.0pt;color:black"><br>
<span class="scxw53035567"> </span><br>
<span class="normaltextrun">Notes: Upon beginning
discussion for SC-59, the then-current version of the
BRs was 1.8.4; since that time several ballots have been
approved, leading to the increment of the version to
1.8.7 and eventually 2.0.0, which is the latest approved
version of the BRs. The changes introduced in SC-59 do
not conflict with any of the recent ballots. As observed
with other ballots in the past, minor administrative
updates must be made to the proposed ballot text before
publication such that the appropriate Version # and
Change History are accurately represented (e.g., to
indicate these changes will be represented in Version
2.0.1).</span><span class="eop"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="color:black">MODIFY the
Baseline Requirements as specified in the following
Redline: </span></span><a
href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00"
target="_blank" moz-do-not-send="true"><span
class="normaltextrun"><span style="color:black">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00</span></span></a><span
class="eop"><span style="color:black"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">--Motion Ends—</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">This ballot proposes a Final
Maintenance Guideline. The procedure for approval of this
ballot is as follows:</span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">Discussion (11+ days) • Start time:
2023-05-25 19:00:00 UTC • End time: 2023-06-08 18:59:00
UTC</span><span class="scxw53035567"> </span><br>
<span class="normaltextrun">Vote for approval (7 days) •
Start time: TBD • End time: TBD</span><span class="eop"> </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Servercert-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>