<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
Hi Tom,<br>
<br>
Historically, the SCWG has been trying to avoid effective dates
during January or December. I recommend using September 15, 2023 or
March 15, 2024 as possible effective dates. These two dates seem to
be <a moz-do-not-send="true"
href="https://docs.google.com/presentation/d/1oTGVYqggQpQMR4Lktbu_L6DhuBVJzeuiFGd9EAU1zsE">more
favorable</a> than others. <br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 25/5/2023 10:51 μ.μ., Tom Zermeno
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000188547791e5-b28f1c5c-b2fe-4c5c-9a0e-5e19e4fad35d-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.normaltextrun
{mso-style-name:normaltextrun;}span.eop
{mso-style-name:eop;}span.scxw53035567
{mso-style-name:scxw53035567;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">Purpose of Ballot SC-059 V3</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">Several events within the community
have led to concerns that the Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates
(BRs) lacked a specificity required to properly guide CAs on
matters dealing with the identification and processing of
digital certificates based on private keys considered weak,
or easy to ascertain. In the hopes that elaboration and
clarity on the subject would be beneficial to the community,
we are presenting updates to §4.9.1.1(“Reasons for Revoking
a Subscriber Certificate) and §6.1.1.3 (Subscriber Key Pair
Generation) of the BRs.</span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">The first update is to §4.9.1.1 and is
made to expand the scope of easily computable Private Keys
from “Debian weak keys” to “those listed in section
6.1.1.3(5)”. While the initial language in the BRs did not
exclude other concerns, the use of a single example could be
interpreted to mean that other easily computable Private
Keys are few and far between. The next update was to
§6.1.1.3(5), wherein we added specific actions to be taken
for ROCA vulnerability, Debian weak keys - both RSA and
ECDSA – and Close Primes vulnerability. We also added a
link to suggested tools to be used for checking weak keys.
Finally, an implementation date of December 1, 2023 was
added to allow CAs time to update processes to meet the
requirements. </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="color:black">The
following motion has been proposed by Thomas Zermeno of
SSL.com and endorsed by Ben Wilson of Mozilla and Martijn
Katerbarg of Sectigo.</span></span><span class="eop"><span
style="color:black"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">--Motion Begins—</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span
style="font-size:12.0pt;color:black">This ballot is
intended to clarify CA responsibilities regarding weak key
vulnerabilities, including specific guidance for Debian
weak key, ROCA and Close Primes attack vulnerabilities,
and modifies the “Baseline Requirements for the Issuance
and Management of Publicly-Trusted Certificates” as
follows, based on Version 2.0.0. </span></span><span
class="scxw53035567"><span
style="font-size:12.0pt;color:black"> </span></span><span
style="font-size:12.0pt;color:black"><br>
<span class="scxw53035567"> </span><br>
<span class="normaltextrun">Notes: Upon beginning discussion
for SC-59, the then-current version of the BRs was 1.8.4;
since that time several ballots have been approved,
leading to the increment of the version to 1.8.7 and
eventually 2.0.0, which is the latest approved version of
the BRs. The changes introduced in SC-59 do not conflict
with any of the recent ballots. As observed with other
ballots in the past, minor administrative updates must be
made to the proposed ballot text before publication such
that the appropriate Version # and Change History are
accurately represented (e.g., to indicate these changes
will be represented in Version 2.0.1).</span><span
class="eop"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="color:black">MODIFY the
Baseline Requirements as specified in the following
Redline: </span></span><a
href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00"
target="_blank" moz-do-not-send="true"><span
class="normaltextrun"><span style="color:black">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00</span></span></a><span
class="eop"><span style="color:black"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">--Motion Ends—</span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">This ballot proposes a Final
Maintenance Guideline. The procedure for approval of this
ballot is as follows:</span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun">Discussion (11+ days) • Start time:
2023-05-25 19:00:00 UTC • End time: 2023-06-08 18:59:00 UTC</span><span
class="scxw53035567"> </span><br>
<span class="normaltextrun">Vote for approval (7 days) • Start
time: TBD • End time: TBD</span><span class="eop"> </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>