<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">I agree with the ballot author(s) and endorsers. This ballot is focused on addressing gaps in the current BRs related to overall weak key guidance (not just Debian weak key checks). The topic of removing the requirement for Debian weak key checking is separate from what I understand the intent and goal of this ballot to ever have been and should be addressed in its own ballot. <div><br><div>Is the concern from CAs that the Debian weak key requirements in this ballot are meaningfully different than what they’re doing today, and they’d like to avoid doing that work? If so, can you explain what the difference(s) is and what impact it’s expected to have for your CA? </div><div><br></div><div>FWIW my read of the current situation is that I don’t think there’s consensus to remove Debian weak key checks at this time, but I do think there’s at least rough consensus that it’s a topic worth discussing/pursuing.</div><div><br></div><div>Thanks,</div><div>-Clint<br><div><br><blockquote type="cite"><div>On Jul 5, 2023, at 12:44 PM, Tom Zermeno via Servercert-wg <servercert-wg@cabforum.org> wrote:</div><br class="Apple-interchange-newline"><div><meta charset="UTF-8"><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Does anyone have any comments to add to this discussion? Is it worthwhile to consider the removal of DWK checks at this time, or should it be considered at a later date?<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">-Tom<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0in 0in;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span>From:</span></b><span><span class="Apple-converted-space"> </span>Tom Zermeno <<a href="mailto:tom@ssl.com" style="color: rgb(5, 99, 193); text-decoration: underline;">tom@ssl.com</a>><span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, June 29, 2023 11:55 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Christophe Bonjean <<a href="mailto:christophe.bonjean@globalsign.com" style="color: rgb(5, 99, 193); text-decoration: underline;">christophe.bonjean@globalsign.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: rgb(5, 99, 193); text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>RE: SC-59 Weak Key Guidance v.2 - Discussion Period<o:p></o:p></span></div></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Christophe,<span class="Apple-converted-space"> </span><o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">The consideration of removing the checks brings up many questions. As a CA representative, do you feel that the removal of a requirement to check for and revoke Debian Weak Key certificates would pose a risk to relying parties? Granted, the method has been patched for 15 years and the certificates are almost never seen in the wild, and to generate DWK certificates someone would either have not patched their system in over a decade or specifically gone out of their way to obtain the software versions capable of creating those certs. Should we chalk it up to a “Darwin Award” for the subscribers who accidentally, or ignorantly, fall into that category? Should CAs still be responsible for the relying parties who will undoubtedly be hurt when the certificate is cracked, or would/could that burden be placed upon the subscriber by an Agreement clause akin to “keep your private key safe”?<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Tom<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0in 0in;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span>From:</span></b><span><span class="Apple-converted-space"> </span>Christophe Bonjean <<a href="mailto:christophe.bonjean@globalsign.com" style="color: rgb(5, 99, 193); text-decoration: underline;">christophe.bonjean@globalsign.com</a>><span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, June 29, 2023 7:11 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Tom Zermeno <<a href="mailto:tom@ssl.com" style="color: rgb(5, 99, 193); text-decoration: underline;">tom@ssl.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: rgb(5, 99, 193); text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>RE: SC-59 Weak Key Guidance v.2 - Discussion Period<o:p></o:p></span></div></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;">Hi Tom<o:p></o:p></span></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;"><o:p> </o:p></span></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;">Thank you for looking into the feedback.<span class="Apple-converted-space"> </span><o:p></o:p></span></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;"><o:p> </o:p></span></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;">With the concerns about Debian weak key checks and revocation, where there is already today doubt about keeping it in a future version of the requirements, with some suggestions to remove it in a next ballot, it seems we would be spending double efforts with first this ballot and a subsequent discussion for a topic that we already know has not fully been clarified. I would suggest we aim to reach a consensus on this before we proceed with this ballot.<span class="Apple-converted-space"> </span><o:p></o:p></span></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;"><o:p> </o:p></span></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;">Christophe<o:p></o:p></span></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt; font-family: Arial, sans-serif;"><o:p> </o:p></span></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0in 0in;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span>From:</span></b><span><span class="Apple-converted-space"> </span>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" style="color: rgb(5, 99, 193); text-decoration: underline;">servercert-wg-bounces@cabforum.org</a>><span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Tom Zermeno via Servercert-wg<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, June 26, 2023 11:53 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Tom Zermeno <<a href="mailto:tom@ssl.com" style="color: rgb(5, 99, 193); text-decoration: underline;">tom@ssl.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: rgb(5, 99, 193); text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-59 Weak Key Guidance v.2 - Discussion Period<o:p></o:p></span></div></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">While the ballot does not specifically address the concerns about the value of Debian checks, etc., I felt that the removal of the review should be better considered in a future ballot initiative.<span class="Apple-converted-space"> </span><a href="http://ssl.com/" style="color: rgb(5, 99, 193); text-decoration: underline;">SSL.com</a><span class="Apple-converted-space"> </span>believes that an overabundance of caution is beneficial to the community, even if it is a drain on resources. We hope that the ballot, as presented, does not represent an overwhelming burden on CAs.<span class="Apple-converted-space"> </span><o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><br>We do agree with the sentiment that most weak-key submissions have been by security researchers, but the occasional customer who is spared the potentially devastating effects of using a weak certificate makes the efforts worthwhile. We would consider, and possibly agree, to the removal of Debian weak-key checks and the revocation requirements of 4.9.1.1 (4), but we would also likely continue to perform the assessments for the benefits of our customers and relying parties. However, as stated, we feel that this avenue of discussion is better traveled after the strengthening of current BR requirements for the prevention of modern threats. <o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Thanks,<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Tom<o:p></o:p></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></p><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0in 0in;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span>From:</span></b><span><span class="Apple-converted-space"> </span>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" style="color: rgb(5, 99, 193); text-decoration: underline;">servercert-wg-bounces@cabforum.org</a>><span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Tom Zermeno via Servercert-wg<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, June 26, 2023 4:35 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Infrastructure Bot via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" style="color: rgb(5, 99, 193); text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>[Servercert-wg] SC-59 Weak Key Guidance v.2 - Discussion Period<o:p></o:p></span></div></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;">My apologies to the community for not properly submitting the updated version (v2) of the SC-59 Weak Key Guidance ballot for discussion. Please disregard the previous call to vote and allow a 7-day period to discuss the changes made to the ballot.<span class="Apple-converted-space"> </span><o:p></o:p></span></span></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;">Notes:<o:p></o:p></span></span></p><ul type="disc" style="margin-bottom: 0in;"><li class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">Thank you to the participants who voiced opinions and concerns about the previous version of the ballot. While there were many concerns about the inclusion of the Debian weak keys checks, we have decided to leave the checks in the ballot. Our reasoning is that we wanted to strengthen the guidance statements, to help CAs ensure compliant certificate generation. Future reviews of the BRs may cull the requirements, as is required by the needs of the community.<span class="Apple-converted-space"> </span><o:p></o:p></span></li><li class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun">We believe that the requested date of November 15, 2023, will allow enough time for Certificate Authorities to enact any changes to their systems to ensure that they perform the weak key checks on all CSRs submitted for TLS certificates.<span class="Apple-converted-space"> </span><o:p></o:p></span></li><li class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;">The changes introduced in SC-59 do not conflict with any of the recent ballots. As observed with other ballots in the past, minor administrative updates must be made to the proposed ballot text before publication such that the appropriate Version # and Change History are accurately represented (e.g., to indicate these changes will be represented in Version 2.0.1).<span class="Apple-converted-space"> </span></span></span><span class="eop"><span style="font-size: 12pt;"> </span></span><o:p></o:p></li></ul><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="eop"><span style="font-size: 12pt;">The following motion has been proposed by Thomas Zermeno of<span class="Apple-converted-space"> </span><a href="http://ssl.com/" style="color: rgb(5, 99, 193); text-decoration: underline;">SSL.com</a><span class="Apple-converted-space"> </span>and has been endorsed by Martijn Katerbarg of Sectigo and Ben Wilson of Mozilla.<span class="Apple-converted-space"> </span></span></span><span style="font-size: 12pt;"><o:p></o:p></span></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><b>- Motion Begins -</b><span class="Apple-converted-space"> </span></span><span class="eop"> </span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 10.5pt; font-family: Arial, sans-serif; color: rgb(14, 16, 26);">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span></span><span class="eop"><span style="font-size: 10.5pt; font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 10.5pt; font-family: Arial, sans-serif; color: rgb(14, 16, 26);">MODIFY the Baseline Requirements as specified in the following Redline:<span class="Apple-converted-space"> </span></span></span><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a" target="_blank" style="color: rgb(5, 99, 193); text-decoration: underline;"><span class="normaltextrun">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a</span></a><span class="normaltextrun"><span class="Apple-converted-space"> </span></span><span class="eop"> </span><o:p></o:p></p><p><span class="normaltextrun"><b>- Motion Ends<span style="color: rgb(0, 120, 212);"><span class="Apple-converted-space"> </span>-</span></b></span><span class="eop"> </span><span style="font-size: 12pt;"><br><br><span style="color: rgb(14, 16, 26);">The procedure for approval of this ballot is as follows:</span><span style=""><o:p></o:p></span></span></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;">Discussion (7 days)<span class="Apple-converted-space"> </span></span><o:p></o:p></span></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;">• Start time: 2023-06-26 22:00:00 UTC<span class="Apple-converted-space"> </span><o:p></o:p></span></span></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;">• End time: 2023-07-03 21:59:59 UTC</span></span><span class="scxw53035567"><span style="font-size: 12pt;"> </span></span><o:p></o:p></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;">Vote for approval (7 days)</span></span><span class="eop"><span style="font-size: 12pt;"> </span></span><span style="font-size: 12pt;"><o:p></o:p></span></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;"> • Start Time: TBD</span></span><span style="font-size: 12pt;"><o:p></o:p></span></p><p class="paragraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; vertical-align: baseline;"><span class="normaltextrun"><span style="font-size: 12pt;"> • End Time: TBD</span></span><span class="eop"><span style="font-size: 12pt;"> </span></span><span style="font-size: 12pt;"><o:p></o:p></span></p><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 12pt;"><o:p> </o:p></span></div></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">Servercert-wg mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><a href="mailto:Servercert-wg@cabforum.org" style="color: rgb(5, 99, 193); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Servercert-wg@cabforum.org</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" style="color: rgb(5, 99, 193); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></div></blockquote></div><br></div></div></body></html>