<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Clint,<br>
<br>
<div class="moz-cite-prefix">On 26/5/2023 6:45 μ.μ., Clint Wilson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1D79E82F-4004-4497-979D-78C5290B3732@apple.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hi Tom, Dimitris,
<div><br>
</div>
<div>I continue to be opposed to the SCWG trying to limit
effective dates to 2 per year. I think it’s entirely reasonable
to align on a day of the month (I think the 15th has broadly
been the only one I’ve heard proposed). I think it’s reasonable
to try to avoid January and December. I also think there may be
value in trying to reduce the overall number of effective dates
somewhat. The dates I’m personally in favor of aligning on are
February, April, June, August, and October 15th.</div>
<div>
<div><br>
</div>
<div>If there’s a particular penchant towards March and
September, however, then I’d be unopposed to March, May, July,
September, and November 15th. </div>
<div><br>
</div>
<div>For this ballot in particular, I think October 15 or
November 15 2023 are feasible targets for implementing these
changes and would greatly prefer closing this issue (open now
for <u>more than 3 years</u>) sooner than later, especially
given the number of incidents we’ve seen in the last years
related to weak key vulnerabilities and CAs issuing
certificates with weak keys.</div>
</div>
</blockquote>
<br>
It's fine for me also to close this issue sooner than later which is
why I recommended even the September 15, 2023 effective date.<br>
<br>
On the 2 document releases per year issue, this is a preliminary
result after having long discussions. I was not aware of any
opposition until now, but perhaps your opposition didn't consider
the emergency options of the proposal? The "standardized release
cycle for Guidelines" proposal addresses a series of concerns about
the frequency and number of document updates, as highlighted in the
presentation shared in my previous reply. If you recall, the
proposal still allows the release of "Emergency Guidelines" that
bypasses the 6-month regular release cycle. We still need to work on
the details which I hope to make progress on after passing the first
Bylaws updates that are already prepared, but I'm confident that all
concerns will be addressed.<br>
<br>
If we use this ballot as an example for applying the "standardized
release cycle for Guidelines", Apple would propose that this is an
Emergency Guideline and specify an effective date that would not be
one of March 15 or September 15. If there was no opposition, we
would proceed with a ballot that would result in an emergency
guideline release and the proposed effective date exactly as we
normally do today.<br>
<br>
I plan to start a separate thread to continue this discussion at the
Forum level after we make some progress with the recently proposed
Bylaws changes.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:1D79E82F-4004-4497-979D-78C5290B3732@apple.com">
<div>
<div><br>
</div>
<div>Thanks,</div>
<div>-Clint</div>
<div><br>
<blockquote type="cite">
<div>On May 26, 2023, at 7:37 AM, Tom Zermeno via
Servercert-wg <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<meta charset="UTF-8">
<div class="WordSection1" style="page: WordSection1;
caret-color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;">
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Hello Dimitris,<o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Thank you for the input. We
feel that September 15<sup>th</sup><span
class="Apple-converted-space"> </span>does not
provide enough time for CAs to implement these
changes, but we are not against the March 15,<span
class="Apple-converted-space"> </span><sup> </sup>2024
effective date, if there is consensus from the
Community.<span class="Apple-converted-space"> </span><o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Thank you,<o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Tom<o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><a href="http://ssl.com/"
style="color: blue; text-decoration: underline;"
moz-do-not-send="true">SSL.com</a><o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div>
<div style="border-width: 1pt medium medium;
border-style: solid none none; border-color:
rgb(225, 225, 225) currentcolor currentcolor;
border-image: none; padding: 3pt 0in 0in;">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;"><b><span>From:</span></b><span><span
class="Apple-converted-space"> </span>Servercert-wg
<<a
href="mailto:servercert-wg-bounces@cabforum.org"
style="color: blue; text-decoration:
underline;" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>><span
class="Apple-converted-space"> </span><b>On
Behalf Of<span class="Apple-converted-space"> </span></b>Dimitris
Zacharopoulos (HARICA) via Servercert-wg<br>
<b>Sent:</b><span class="Apple-converted-space"> </span>Friday,
May 26, 2023 1:54 AM<br>
<b>To:</b><span class="Apple-converted-space"> </span><a
href="mailto:servercert-wg@cabforum.org"
style="color: blue; text-decoration:
underline;" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a><br>
<b>Subject:</b><span
class="Apple-converted-space"> </span>Re:
[Servercert-wg] SC-59 Weak Key Guidance<o:p></o:p></span></div>
</div>
</div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<p class="MsoNormal" style="margin: 0in 0in 12pt;
font-size: 11pt; font-family: Calibri, sans-serif;"><br>
Hi Tom,<br>
<br>
Historically, the SCWG has been trying to avoid
effective dates during January or December. I
recommend using September 15, 2023 or March 15, 2024
as possible effective dates. These two dates seem to
be<span class="Apple-converted-space"> </span><a
href="https://docs.google.com/presentation/d/1oTGVYqggQpQMR4Lktbu_L6DhuBVJzeuiFGd9EAU1zsE"
style="color: blue; text-decoration: underline;"
moz-do-not-send="true">more favorable</a><span
class="Apple-converted-space"> </span>than others.<span
class="Apple-converted-space"> </span><br>
<br>
<br>
Thanks,<br>
Dimitris.<span><o:p></o:p></span></p>
<div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">On 25/5/2023 10:51 μ.μ., Tom
Zermeno via Servercert-wg wrote:<o:p></o:p></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun">Purpose of Ballot SC-059 V3</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun">Several events within the
community have led to concerns that the Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates (BRs) lacked a
specificity required to properly guide CAs on
matters dealing with the identification and
processing of digital certificates based on
private keys considered weak, or easy to
ascertain. In the hopes that elaboration and
clarity on the subject would be beneficial to the
community, we are presenting updates to
§4.9.1.1(“Reasons for Revoking a Subscriber
Certificate) and §6.1.1.3 (Subscriber Key Pair
Generation) of the BRs.</span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun">The first update is to
§4.9.1.1 and is made to expand the scope of easily
computable Private Keys from “Debian weak keys” to
“those listed in section 6.1.1.3(5)”. While the
initial language in the BRs did not exclude other
concerns, the use of a single example could be
interpreted to mean that other easily computable
Private Keys are few and far between. The next
update was to §6.1.1.3(5), wherein we added
specific actions to be taken for ROCA
vulnerability, Debian weak keys - both RSA and
ECDSA – and Close Primes vulnerability. We also
added a link to suggested tools to be used for
checking weak keys. Finally, an implementation
date of December 1, 2023 was added to allow CAs
time to update processes to meet the requirements.<span
class="Apple-converted-space"> </span></span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun"><span style="">The following
motion has been proposed by Thomas Zermeno of<span
class="Apple-converted-space"> </span><a
href="http://ssl.com/" style="color: blue;
text-decoration: underline;"
moz-do-not-send="true">SSL.com</a><span
class="Apple-converted-space"> </span>and
endorsed by Ben Wilson of Mozilla and Martijn
Katerbarg of Sectigo.</span></span><span
class="eop"><span style=""> </span></span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun">--Motion Begins—</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun"><span style="font-size:
12pt;">This ballot is intended to clarify CA
responsibilities regarding weak key
vulnerabilities, including specific guidance for
Debian weak key, ROCA and Close Primes attack
vulnerabilities, and modifies the “Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates” as follows, based
on Version 2.0.0.<span
class="Apple-converted-space"> </span></span></span><span
class="scxw53035567"><span style="font-size:
12pt;"> </span></span><span style="font-size:
12pt;"><br>
<span class="scxw53035567"> </span><br>
<span class="normaltextrun">Notes: Upon beginning
discussion for SC-59, the then-current version
of the BRs was 1.8.4; since that time several
ballots have been approved, leading to the
increment of the version to 1.8.7 and eventually
2.0.0, which is the latest approved version of
the BRs. The changes introduced in SC-59 do not
conflict with any of the recent ballots. As
observed with other ballots in the past, minor
administrative updates must be made to the
proposed ballot text before publication such
that the appropriate Version # and Change
History are accurately represented (e.g., to
indicate these changes will be represented in
Version 2.0.1).</span><span class="eop"> </span></span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun"><span style="">MODIFY the
Baseline Requirements as specified in the
following Redline:<span
class="Apple-converted-space"> </span></span></span><a
href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00"
target="_blank" style="color: blue;
text-decoration: underline;"
moz-do-not-send="true"><span class="normaltextrun"><span
style="">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00</span></span></a><span
class="eop"><span style=""> </span></span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun">--Motion Ends—</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun">This ballot proposes a Final
Maintenance Guideline. The procedure for approval
of this ballot is as follows:</span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span
class="normaltextrun">Discussion (11+ days) •
Start time: 2023-05-25 19:00:00 UTC • End time:
2023-06-08 18:59:00 UTC</span><span
class="scxw53035567"> </span><br>
<span class="normaltextrun">Vote for approval (7
days) • Start time: TBD • End time: TBD</span><span
class="eop"> </span><o:p></o:p></p>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"> <o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><span><br>
<br>
<o:p></o:p></span></div>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";">_______________________________________________<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";">Servercert-wg mailing list<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";"><a href="mailto:Servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";"><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" style="color: blue; text-decoration: underline;" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><span><o:p> </o:p></span></div>
</div>
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;">_______________________________________________</span><br
style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;">Servercert-wg mailing list</span><br
style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">
<a href="mailto:Servercert-wg@cabforum.org" style="color:
blue; text-decoration: underline; font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br
style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
style="color: blue; text-decoration: underline;
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>