<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi Dimitris,<div><div><br><blockquote type="cite"><div>On May 28, 2023, at 10:17 PM, Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr> wrote:</div><br class="Apple-interchange-newline"><div>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div>
Hi Clint,<br>
<br>
<div class="moz-cite-prefix">On 26/5/2023 6:45 μ.μ., Clint Wilson
wrote:<br>
</div>
<blockquote type="cite" cite="mid:1D79E82F-4004-4497-979D-78C5290B3732@apple.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hi Tom, Dimitris,
<div><br>
</div>
<div>I continue to be opposed to the SCWG trying to limit
effective dates to 2 per year. I think it’s entirely reasonable
to align on a day of the month (I think the 15th has broadly
been the only one I’ve heard proposed). I think it’s reasonable
to try to avoid January and December. I also think there may be
value in trying to reduce the overall number of effective dates
somewhat. The dates I’m personally in favor of aligning on are
February, April, June, August, and October 15th.</div>
<div>
<div><br>
</div>
<div>If there’s a particular penchant towards March and
September, however, then I’d be unopposed to March, May, July,
September, and November 15th. </div>
<div><br>
</div>
<div>For this ballot in particular, I think October 15 or
November 15 2023 are feasible targets for implementing these
changes and would greatly prefer closing this issue (open now
for <u>more than 3 years</u>) sooner than later, especially
given the number of incidents we’ve seen in the last years
related to weak key vulnerabilities and CAs issuing
certificates with weak keys.</div>
</div>
</blockquote>
<br>
It's fine for me also to close this issue sooner than later which is
why I recommended even the September 15, 2023 effective date.<br></div></div></blockquote>Agreed, if the ballot author(s) and endorsers feel September 15, 2023 is feasible, I would be very supportive of selecting that date.<br><blockquote type="cite"><div><div>
<br>
On the 2 document releases per year issue, this is a preliminary
result after having long discussions. I was not aware of any
opposition until now, but perhaps your opposition didn't consider
the emergency options of the proposal? </div></div></blockquote>I’ve raised my opposition before, and I have taken into account the emergency options. Part of my opposition is to the idea that selecting an effective date that is not one of the preferred dates needs to be considered an emergency in order to occur. I don’t believe adding this additional “gate", especially formally, to the ballot process is necessary nor particularly helpful.<br><blockquote type="cite"><div><div>The "standardized release
cycle for Guidelines" proposal addresses a series of concerns about
the frequency and number of document updates, as highlighted in the
presentation shared in my previous reply. If you recall, the
proposal still allows the release of "Emergency Guidelines" that
bypasses the 6-month regular release cycle. We still need to work on
the details which I hope to make progress on after passing the first
Bylaws updates that are already prepared, but I'm confident that all
concerns will be addressed.<br></div></div></blockquote>I look forward to the continued discussion around the proposal and will be happy to participate as/when that moves forward, as you’ve noted below.<br><blockquote type="cite"><div><div>
<br>
If we use this ballot as an example for applying the "standardized
release cycle for Guidelines", Apple would propose that this is an
Emergency Guideline and specify an effective date that would not be
one of March 15 or September 15. If there was no opposition, we
would proceed with a ballot that would result in an emergency
guideline release and the proposed effective date exactly as we
normally do today.<br></div></div></blockquote>This ballot does not strike me as qualifying as an Emergency by any definition I’m familiar with, and provides a useful demonstration as to why I am currently opposed to the “standardized release cycle for Guidelines”, as presented, while being much more supportive of something along the lines of what Tim and I discussed.</div><div><br></div><div>Cheers,</div><div>-Clint<br><blockquote type="cite"><div><div>
<br>
I plan to start a separate thread to continue this discussion at the
Forum level after we make some progress with the recently proposed
Bylaws changes.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite" cite="mid:1D79E82F-4004-4497-979D-78C5290B3732@apple.com">
<div>
<div><br>
</div>
<div>Thanks,</div>
<div>-Clint</div>
<div><br>
<blockquote type="cite">
<div>On May 26, 2023, at 7:37 AM, Tom Zermeno via
Servercert-wg <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<meta charset="UTF-8">
<div class="WordSection1" style="page: WordSection1;
caret-color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;">
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Hello Dimitris,<o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Thank you for the input. We
feel that September 15<sup>th</sup><span class="Apple-converted-space"> </span>does not
provide enough time for CAs to implement these
changes, but we are not against the March 15,<span class="Apple-converted-space"> </span><sup> </sup>2024
effective date, if there is consensus from the
Community.<span class="Apple-converted-space"> </span><o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Thank you,<o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">Tom<o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><a href="http://ssl.com/" style="color: blue; text-decoration: underline;" moz-do-not-send="true">SSL.com</a><o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div>
<div>
<div style="border-width: 1pt medium medium;
border-style: solid none none; border-color:
rgb(225, 225, 225) currentcolor currentcolor;
border-image: none; padding: 3pt 0in 0in;">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;"><b><span>From:</span></b><span><span class="Apple-converted-space"> </span>Servercert-wg
<<a href="mailto:servercert-wg-bounces@cabforum.org" style="color: blue; text-decoration:
underline;" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>><span class="Apple-converted-space"> </span><b>On
Behalf Of<span class="Apple-converted-space"> </span></b>Dimitris
Zacharopoulos (HARICA) via Servercert-wg<br>
<b>Sent:</b><span class="Apple-converted-space"> </span>Friday,
May 26, 2023 1:54 AM<br>
<b>To:</b><span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration:
underline;" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a><br>
<b>Subject:</b><span class="Apple-converted-space"> </span>Re:
[Servercert-wg] SC-59 Weak Key Guidance<o:p></o:p></span></div>
</div>
</div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><o:p> </o:p></div><p class="MsoNormal" style="margin: 0in 0in 12pt;
font-size: 11pt; font-family: Calibri, sans-serif;"><br>
Hi Tom,<br>
<br>
Historically, the SCWG has been trying to avoid
effective dates during January or December. I
recommend using September 15, 2023 or March 15, 2024
as possible effective dates. These two dates seem to
be<span class="Apple-converted-space"> </span><a href="https://docs.google.com/presentation/d/1oTGVYqggQpQMR4Lktbu_L6DhuBVJzeuiFGd9EAU1zsE" style="color: blue; text-decoration: underline;" moz-do-not-send="true">more favorable</a><span class="Apple-converted-space"> </span>than others.<span class="Apple-converted-space"> </span><br>
<br>
<br>
Thanks,<br>
Dimitris.<span><o:p></o:p></span></p>
<div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;">On 25/5/2023 10:51 μ.μ., Tom
Zermeno via Servercert-wg wrote:<o:p></o:p></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">Purpose of Ballot SC-059 V3</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">Several events within the
community have led to concerns that the Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates (BRs) lacked a
specificity required to properly guide CAs on
matters dealing with the identification and
processing of digital certificates based on
private keys considered weak, or easy to
ascertain. In the hopes that elaboration and
clarity on the subject would be beneficial to the
community, we are presenting updates to
§4.9.1.1(“Reasons for Revoking a Subscriber
Certificate) and §6.1.1.3 (Subscriber Key Pair
Generation) of the BRs.</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">The first update is to
§4.9.1.1 and is made to expand the scope of easily
computable Private Keys from “Debian weak keys” to
“those listed in section 6.1.1.3(5)”. While the
initial language in the BRs did not exclude other
concerns, the use of a single example could be
interpreted to mean that other easily computable
Private Keys are few and far between. The next
update was to §6.1.1.3(5), wherein we added
specific actions to be taken for ROCA
vulnerability, Debian weak keys - both RSA and
ECDSA – and Close Primes vulnerability. We also
added a link to suggested tools to be used for
checking weak keys. Finally, an implementation
date of December 1, 2023 was added to allow CAs
time to update processes to meet the requirements.<span class="Apple-converted-space"> </span></span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="">The following
motion has been proposed by Thomas Zermeno of<span class="Apple-converted-space"> </span><a href="http://ssl.com/" style="color: blue;
text-decoration: underline;" moz-do-not-send="true">SSL.com</a><span class="Apple-converted-space"> </span>and
endorsed by Ben Wilson of Mozilla and Martijn
Katerbarg of Sectigo.</span></span><span class="eop"><span style=""> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">--Motion Begins—</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size:
12pt;">This ballot is intended to clarify CA
responsibilities regarding weak key
vulnerabilities, including specific guidance for
Debian weak key, ROCA and Close Primes attack
vulnerabilities, and modifies the “Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates” as follows, based
on Version 2.0.0.<span class="Apple-converted-space"> </span></span></span><span class="scxw53035567"><span style="font-size:
12pt;"> </span></span><span style="font-size:
12pt;"><br>
<span class="scxw53035567"> </span><br>
<span class="normaltextrun">Notes: Upon beginning
discussion for SC-59, the then-current version
of the BRs was 1.8.4; since that time several
ballots have been approved, leading to the
increment of the version to 1.8.7 and eventually
2.0.0, which is the latest approved version of
the BRs. The changes introduced in SC-59 do not
conflict with any of the recent ballots. As
observed with other ballots in the past, minor
administrative updates must be made to the
proposed ballot text before publication such
that the appropriate Version # and Change
History are accurately represented (e.g., to
indicate these changes will be represented in
Version 2.0.1).</span><span class="eop"> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="">MODIFY the
Baseline Requirements as specified in the
following Redline:<span class="Apple-converted-space"> </span></span></span><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00" target="_blank" style="color: blue;
text-decoration: underline;" moz-do-not-send="true"><span class="normaltextrun"><span style="">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:3b0c6de32595d02fbd96762cda98cdc88addef00</span></span></a><span class="eop"><span style=""> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">--Motion Ends—</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">This ballot proposes a Final
Maintenance Guideline. The procedure for approval
of this ballot is as follows:</span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in;
margin-left: 0in; font-size: 11pt; font-family:
Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">Discussion (11+ days) •
Start time: 2023-05-25 19:00:00 UTC • End time:
2023-06-08 18:59:00 UTC</span><span class="scxw53035567"> </span><br>
<span class="normaltextrun">Vote for approval (7
days) • Start time: TBD • End time: TBD</span><span class="eop"> </span><o:p></o:p></p>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"> <o:p></o:p></div>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><span><br>
<br>
<o:p></o:p></span></div>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";">_______________________________________________<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";">Servercert-wg mailing list<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";"><a href="mailto:Servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: "Courier New";"><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" style="color: blue; text-decoration: underline;" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
<div style="margin: 0in; font-size: 11pt; font-family:
Calibri, sans-serif;"><span><o:p> </o:p></span></div>
</div>
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none; float: none; display: inline
!important;">Servercert-wg mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">
<a href="mailto:Servercert-wg@cabforum.org" style="color:
blue; text-decoration: underline; font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: start; text-indent:
0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration: none;">
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" style="color: blue; text-decoration: underline;
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div></blockquote></div><br></div></body></html>