<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi Dimitris,<div><div><br><blockquote type="cite"><div>On May 28, 2023, at 10:17 PM, Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr> wrote:</div><br class="Apple-interchange-newline"><div>
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  
  <div>
    Hi Clint,<br>
    <br>
    <div class="moz-cite-prefix">On 26/5/2023 6:45 μ.μ., Clint Wilson
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:1D79E82F-4004-4497-979D-78C5290B3732@apple.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      Hi Tom, Dimitris,
      <div><br>
      </div>
      <div>I continue to be opposed to the SCWG trying to limit
        effective dates to 2 per year. I think it’s entirely reasonable
        to align on a day of the month (I think the 15th has broadly
        been the only one I’ve heard proposed). I think it’s reasonable
        to try to avoid January and December. I also think there may be
        value in trying to reduce the overall number of effective dates
        somewhat. The dates I’m personally in favor of aligning on are
        February, April, June, August, and October 15th.</div>
      <div>
        <div><br>
        </div>
        <div>If there’s a particular penchant towards March and
          September, however, then I’d be unopposed to March, May, July,
          September, and November 15th. </div>
        <div><br>
        </div>
        <div>For this ballot in particular, I think October 15 or
          November 15 2023 are feasible targets for implementing these
          changes and would greatly prefer closing this issue (open now
          for <u>more than 3 years</u>) sooner than later, especially
          given the number of incidents we’ve seen in the last years
          related to weak key vulnerabilities and CAs issuing
          certificates with weak keys.</div>
      </div>
    </blockquote>
    <br>
    It's fine for me also to close this issue sooner than later which is
    why I recommended even the September 15, 2023 effective date.<br></div></div></blockquote>Agreed, if the ballot author(s) and endorsers feel September 15, 2023 is feasible, I would be very supportive of selecting that date.<br><blockquote type="cite"><div><div>
    <br>
    On the 2 document releases per year issue, this is a preliminary
    result after having long discussions. I was not aware of any
    opposition until now, but perhaps your opposition didn't consider
    the emergency options of the proposal? </div></div></blockquote>I’ve raised my opposition before, and I have taken into account the emergency options. Part of my opposition is to the idea that selecting an effective date that is not one of the preferred dates needs to be considered an emergency in order to occur. I don’t believe adding this additional “gate", especially formally, to the ballot process is necessary nor particularly helpful.<br><blockquote type="cite"><div><div>The "standardized release
    cycle for Guidelines" proposal addresses a series of concerns about
    the frequency and number of document updates, as highlighted in the
    presentation shared in my previous reply. If you recall, the
    proposal still allows the release of "Emergency Guidelines" that
    bypasses the 6-month regular release cycle. We still need to work on
    the details which I hope to make progress on after passing the first
    Bylaws updates that are already prepared, but I'm confident that all
    concerns will be addressed.<br></div></div></blockquote>I look forward to the continued discussion around the proposal and will be happy to participate as/when that moves forward, as you’ve noted below.<br><blockquote type="cite"><div><div>
    <br>
    If we use this ballot as an example for applying the "standardized
    release cycle for Guidelines", Apple would propose that this is an
    Emergency Guideline and specify an effective date that would not be
    one of March 15 or September 15. If there was no opposition, we
    would proceed with a ballot that would result in an emergency
    guideline release and the proposed effective date exactly as we
    normally do today.<br></div></div></blockquote>This ballot does not strike me as qualifying as an Emergency by any definition I’m familiar with, and provides a useful demonstration as to why I am currently opposed to the “standardized release cycle for Guidelines”, as presented, while being much more supportive of something along the lines of what Tim and I discussed.</div><div><br></div><div>Cheers,</div><div>-Clint<br><blockquote type="cite"><div><div>
    <br>
    I plan to start a separate thread to continue this discussion at the
    Forum level after we make some progress with the recently proposed
    Bylaws changes.<br>
    <br>
    <br>
    Thanks,<br>
    Dimitris.<br>
    <br>
    <blockquote type="cite" cite="mid:1D79E82F-4004-4497-979D-78C5290B3732@apple.com">
      <div>
        <div><br>
        </div>
        <div>Thanks,</div>
        <div>-Clint</div>
        <div><br>
          <blockquote type="cite">
            <div>On May 26, 2023, at 7:37 AM, Tom Zermeno via
              Servercert-wg <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a> wrote:</div>
            <br class="Apple-interchange-newline">
            <div>
              <meta charset="UTF-8">
              <div class="WordSection1" style="page: WordSection1;
                caret-color: rgb(0, 0, 0); font-family: Helvetica;
                font-size: 12px; font-style: normal; font-variant-caps:
                normal; font-weight: 400; letter-spacing: normal;
                text-align: start; text-indent: 0px; text-transform:
                none; white-space: normal; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; text-decoration: none;">
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;">Hello Dimitris,<o:p></o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;"><o:p> </o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;">Thank you for the input.  We
                  feel that September 15<sup>th</sup><span class="Apple-converted-space"> </span>does not
                  provide enough time for CAs to implement these
                  changes, but we are not against the March 15,<span class="Apple-converted-space"> </span><sup> </sup>2024
                  effective date, if there is consensus from the
                  Community.<span class="Apple-converted-space"> </span><o:p></o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;"><o:p> </o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;">Thank you,<o:p></o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;"><o:p> </o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;">Tom<o:p></o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;"><a href="http://ssl.com/" style="color: blue; text-decoration: underline;" moz-do-not-send="true">SSL.com</a><o:p></o:p></div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;"><o:p> </o:p></div>
                <div>
                  <div style="border-width: 1pt medium medium;
                    border-style: solid none none; border-color:
                    rgb(225, 225, 225) currentcolor currentcolor;
                    border-image: none; padding: 3pt 0in 0in;">
                    <div style="margin: 0in; font-size: 11pt;
                      font-family: Calibri, sans-serif;"><b><span>From:</span></b><span><span class="Apple-converted-space"> </span>Servercert-wg
                        <<a href="mailto:servercert-wg-bounces@cabforum.org" style="color: blue; text-decoration:
                          underline;" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>><span class="Apple-converted-space"> </span><b>On
                          Behalf Of<span class="Apple-converted-space"> </span></b>Dimitris
                        Zacharopoulos (HARICA) via Servercert-wg<br>
                        <b>Sent:</b><span class="Apple-converted-space"> </span>Friday,
                        May 26, 2023 1:54 AM<br>
                        <b>To:</b><span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration:
                          underline;" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a><br>
                        <b>Subject:</b><span class="Apple-converted-space"> </span>Re:
                        [Servercert-wg] SC-59 Weak Key Guidance<o:p></o:p></span></div>
                  </div>
                </div>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;"><o:p> </o:p></div><p class="MsoNormal" style="margin: 0in 0in 12pt;
                  font-size: 11pt; font-family: Calibri, sans-serif;"><br>
                  Hi Tom,<br>
                  <br>
                  Historically, the SCWG has been trying to avoid
                  effective dates during January or December. I
                  recommend using September 15, 2023 or March 15, 2024
                  as possible effective dates. These two dates seem to
                  be<span class="Apple-converted-space"> </span><a href="https://docs.google.com/presentation/d/1oTGVYqggQpQMR4Lktbu_L6DhuBVJzeuiFGd9EAU1zsE" style="color: blue; text-decoration: underline;" moz-do-not-send="true">more favorable</a><span class="Apple-converted-space"> </span>than others.<span class="Apple-converted-space"> </span><br>
                  <br>
                  <br>
                  Thanks,<br>
                  Dimitris.<span><o:p></o:p></span></p>
                <div>
                  <div style="margin: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif;">On 25/5/2023 10:51 μ.μ., Tom
                    Zermeno via Servercert-wg wrote:<o:p></o:p></div>
                </div>
                <blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">Purpose of Ballot SC-059 V3</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">Several events within the
                      community have led to concerns that the Baseline
                      Requirements for the Issuance and Management of
                      Publicly-Trusted Certificates (BRs) lacked a
                      specificity required to properly guide CAs on
                      matters dealing with the identification and
                      processing of digital certificates based on
                      private keys considered weak, or easy to
                      ascertain.  In the hopes that elaboration and
                      clarity on the subject would be beneficial to the
                      community, we are presenting updates to
                      §4.9.1.1(“Reasons for Revoking a Subscriber
                      Certificate) and §6.1.1.3 (Subscriber Key Pair
                      Generation) of the BRs.</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">The first update is to
                      §4.9.1.1 and is made to expand the scope of easily
                      computable Private Keys from “Debian weak keys” to
                      “those listed in section 6.1.1.3(5)”.  While the
                      initial language in the BRs did not exclude other
                      concerns, the use of a single example could be
                      interpreted to mean that other easily computable
                      Private Keys are few and far between.  The next
                      update was to §6.1.1.3(5), wherein we added
                      specific actions to be taken for ROCA
                      vulnerability, Debian weak keys - both RSA and
                      ECDSA – and Close Primes vulnerability.  We also
                      added a link to suggested tools to be used for
                      checking weak keys. Finally, an implementation
                      date of December 1, 2023 was added to allow CAs
                      time to update processes to meet the requirements.<span class="Apple-converted-space"> </span></span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="">The following
                        motion has been proposed by Thomas Zermeno of<span class="Apple-converted-space"> </span><a href="http://ssl.com/" style="color: blue;
                          text-decoration: underline;" moz-do-not-send="true">SSL.com</a><span class="Apple-converted-space"> </span>and
                        endorsed by Ben Wilson of Mozilla and Martijn
                        Katerbarg of Sectigo.</span></span><span class="eop"><span style=""> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">--Motion Begins—</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size:
                        12pt;">This ballot is intended to clarify CA
                        responsibilities regarding weak key
                        vulnerabilities, including specific guidance for
                        Debian weak key, ROCA and Close Primes attack
                        vulnerabilities, and modifies the “Baseline
                        Requirements for the Issuance and Management of
                        Publicly-Trusted Certificates” as follows, based
                        on Version 2.0.0.<span class="Apple-converted-space"> </span></span></span><span class="scxw53035567"><span style="font-size:
                        12pt;"> </span></span><span style="font-size:
                      12pt;"><br>
                      <span class="scxw53035567"> </span><br>
                      <span class="normaltextrun">Notes: Upon beginning
                        discussion for SC-59, the then-current version
                        of the BRs was 1.8.4; since that time several
                        ballots have been approved, leading to the
                        increment of the version to 1.8.7 and eventually
                        2.0.0, which is the latest approved version of
                        the BRs.  The changes introduced in SC-59 do not
                        conflict with any of the recent ballots. As
                        observed with other ballots in the past, minor
                        administrative updates must be made to the
                        proposed ballot text before publication such
                        that the appropriate Version # and Change
                        History are accurately represented (e.g., to
                        indicate these changes will be represented in
                        Version 2.0.1).</span><span class="eop"> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="">MODIFY the
                        Baseline Requirements as specified in the
                        following Redline:<span class="Apple-converted-space"> </span></span></span><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00" target="_blank" style="color: blue;
                      text-decoration: underline;" moz-do-not-send="true"><span class="normaltextrun"><span style="">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00</span></span></a><span class="eop"><span style=""> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">--Motion Ends—</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">This ballot proposes a Final
                      Maintenance Guideline. The procedure for approval
                      of this ballot is as follows:</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
                    margin-left: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">Discussion (11+ days) •
                      Start time: 2023-05-25 19:00:00 UTC • End time:
                      2023-06-08 18:59:00 UTC</span><span class="scxw53035567"> </span><br>
                    <span class="normaltextrun">Vote for approval (7
                      days) • Start time: TBD • End time: TBD</span><span class="eop"> </span><o:p></o:p></p>
                  <div style="margin: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif;"> <o:p></o:p></div>
                  <div style="margin: 0in; font-size: 11pt; font-family:
                    Calibri, sans-serif;"><span><br>
                      <br>
                      <o:p></o:p></span></div>
                  <pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";">_______________________________________________<o:p></o:p></pre>
                  <pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";">Servercert-wg mailing list<o:p></o:p></pre>
                  <pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";"><a href="mailto:Servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
                  <pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";"><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" style="color: blue; text-decoration: underline;" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
                </blockquote>
                <div style="margin: 0in; font-size: 11pt; font-family:
                  Calibri, sans-serif;"><span><o:p> </o:p></span></div>
              </div>
              <span style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: 400;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none; float: none; display: inline
                !important;">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: 400;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;">
              <span style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: 400;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none; float: none; display: inline
                !important;">Servercert-wg mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: 400;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;">
              <a href="mailto:Servercert-wg@cabforum.org" style="color:
                blue; text-decoration: underline; font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: 400;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: auto; word-spacing: 0px;
                -webkit-text-stroke-width: 0px;" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br style="caret-color: rgb(0, 0, 0); font-family:
                Helvetica; font-size: 12px; font-style: normal;
                font-variant-caps: normal; font-weight: 400;
                letter-spacing: normal; text-align: start; text-indent:
                0px; text-transform: none; white-space: normal;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                text-decoration: none;">
              <a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" style="color: blue; text-decoration: underline;
                font-family: Helvetica; font-size: 12px; font-style:
                normal; font-variant-caps: normal; font-weight: 400;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: auto; word-spacing: 0px;
                -webkit-text-stroke-width: 0px;" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div>

</div></blockquote></div><br></div></body></html>