<div dir="ltr"><div>Fastly votes NO to ballot SC-59 v2.</div><div><br></div><div>While I realize that this ballot was first proposed more than 3 years ago and I greatly appreciate the efforts to finish the work, some valid concerns were raised recently on the list. Although consensus is not required, it is desirable, and there has not been adequate time or discussion given to these concerns. I am not opposed to the requirements as currently proposed but I see no good reason to cut off meaningful discussion that could result in a better outcome.</div><div><br></div><div>- Wayne<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 6, 2023 at 9:17 AM Tom Zermeno via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-975690434531883722"><div style="overflow-wrap: break-word;" lang="EN-US"><div class="m_-975690434531883722WordSection1"><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><b><span style="font-size:12pt">Purpose of the Ballot SC-59<u></u><u></u></span></b></span></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:12pt">This ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates related to the identification and revocation of certificates with private keys that were generated in a manner that may make them susceptible to easy decryption. It specifically deals with Debian weak keys, ROCA, and Close Primes Vulnerability. <u></u><u></u></span></span></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:12pt">Notes: </span></span> <span class="m_-975690434531883722normaltextrun"><span style="font-size:12pt"><u></u><u></u></span></span></p><ul type="disc"><li class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun">Thank you to the participants who voiced opinions and concerns about the previous version of the ballot. While there were many concerns about the inclusion of the Debian weak keys checks, we have decided to leave the checks in the ballot. Our reasoning is that we wanted to strengthen the guidance statements, to help CAs ensure compliant certificate generation. Future reviews of the BRs may cull the requirements, as is required by the needs of the community. <u></u><u></u></span></li><li class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun">We believe that the requested date of November 15, 2023, will allow enough time for Certificate Authorities to enact any changes to their systems to ensure that they perform the weak key checks on all CSRs submitted for TLS certificates. <u></u><u></u></span></li><li class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:12pt;color:black">The changes introduced in SC-59 do not conflict with any of the recent ballots. As observed with other ballots in the past, minor administrative updates must be made to the proposed ballot text before publication such that the appropriate Version # and Change History are accurately represented (e.g., to indicate these changes will be represented in Version 2.0.1). </span></span><span class="m_-975690434531883722eop"><span style="font-size:12pt;color:black"> </span></span><u></u><u></u></li></ul><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722eop"><span style="font-size:12pt">The following motion has been proposed by Thomas Zermeno of SSL.com and has been endorsed by Martijn Katerbarg of Sectigo and Ben Wilson of Mozilla. </span></span><span style="font-size:12pt"><u></u><u></u></span></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><b>- Motion Begins -</b> </span><span class="m_-975690434531883722eop"> </span><u></u><u></u></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:rgb(14,16,26)">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span></span><span class="m_-975690434531883722eop"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:rgb(14,16,26)"> </span></span><u></u><u></u></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:rgb(14,16,26)">MODIFY the Baseline Requirements as specified in the following Redline: </span></span><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a" target="_blank"><span class="m_-975690434531883722normaltextrun"><span style="color:rgb(5,99,193)">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a</span></span></a><span class="m_-975690434531883722normaltextrun"> </span><span class="m_-975690434531883722eop"> </span><u></u><u></u></p><p><span class="m_-975690434531883722normaltextrun"><b>- Motion Ends<span style="color:rgb(0,120,212)"> -</span></b></span><span class="m_-975690434531883722eop"> </span><span style="font-size:12pt"><br><br><span style="color:rgb(14,16,26)">The procedure for approval of this ballot is as follows:</span><span style="color:black"><u></u><u></u></span></span></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:12pt">Discussion (7 days) </span><u></u><u></u></span></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:12pt">• Start time: 2023-06-26 22:00:00 UTC <u></u><u></u></span></span></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><span style="font-size:12pt">• End time: 2023-07-03 21:59:59 UTC</span></span><span class="m_-975690434531883722scxw53035567"><span style="font-size:12pt"> </span></span><u></u><u></u></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><b><span style="font-size:12pt">Vote for approval (7 days)</span></b></span><span class="m_-975690434531883722eop"><b><span style="font-size:12pt"> </span></b></span><b><span style="font-size:12pt"><u></u><u></u></span></b></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><b><span style="font-size:12pt"> • Start Time: 2023-07-06 17:00:00</span></b></span><b><span style="font-size:12pt"><u></u><u></u></span></b></p><p class="m_-975690434531883722paragraph" style="vertical-align:baseline"><span class="m_-975690434531883722normaltextrun"><b><span style="font-size:12pt"> • End Time: 2023-07-13 16:59:59</span></b></span><span class="m_-975690434531883722eop"><b><span style="font-size:12pt"> </span></b></span><b><span style="font-size:12pt"><u></u><u></u></span></b></p><p class="MsoNormal"><u></u> <u></u></p></div></div>_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div></blockquote></div>