<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    HARICA votes "yes" to ballot SC-59 v2.<br>
    <br>
    Based on the information that has already been disclosed in the
    course of this ballot, we believe that the tools are available for
    every CA to achieve the goal of protecting Subscribers and Relying
    Parties from using Debian weak keys, without too much effort. <a
      moz-do-not-send="true"
      href="https://github.com/HARICA-official/debian-weak-keys">HARICA</a>
    has shared some of that work and the same applies for <a
      moz-do-not-send="true"
      href="https://github.com/CVE-2008-0166/private_keys">Sectigo</a>.
    We consider the clarifications provided in this ballot very useful
    and they should be adopted as soon as possible.<br>
    <br>
    We would also like to echo that the value of protecting specifically
    against Debian weak keys in 2023, is very minor and we would support
    removing this requirement (for Debian weak keys) in the future.<br>
    <br>
    Dimitris.<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 6/7/2023 7:17 μ.μ., Tom Zermeno via
      Servercert-wg wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:010001892bfeb0a0-d91aac53-1f9c-4057-ba75-2715887d20a9-000000@email.amazonses.com">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style>@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-ligatures:standardcontextual;}span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}p.paragraph, li.paragraph, div.paragraph
        {mso-style-name:paragraph;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}span.normaltextrun
        {mso-style-name:normaltextrun;}span.eop
        {mso-style-name:eop;}span.scxw53035567
        {mso-style-name:scxw53035567;}.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}div.WordSection1
        {page:WordSection1;}ol
        {margin-bottom:0in;}ul
        {margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><b><span style="font-size:12.0pt">Purpose
                of the Ballot SC-59<o:p></o:p></span></b></span></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><span style="font-size:12.0pt">This
              ballot proposes updates to the Baseline Requirements for
              the Issuance and Management of Publicly-Trusted
              Certificates related to the identification and revocation
              of certificates with private keys that were generated in a
              manner that may make them susceptible to easy decryption.
              It specifically deals with Debian weak keys, ROCA, and
              Close Primes Vulnerability. <o:p></o:p></span></span></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><span style="font-size:12.0pt">Notes:
            </span></span> <span class="normaltextrun"><span
              style="font-size:12.0pt"><o:p></o:p></span></span></p>
        <ul type="disc">
          <li class="paragraph" style="mso-list:l0 level1
            lfo1;vertical-align:baseline"><span class="normaltextrun">Thank
              you to the participants who voiced opinions and concerns
              about the previous version of the ballot.  While there
              were many concerns about the inclusion of the Debian weak
              keys checks, we have decided to leave the checks in the
              ballot.  Our reasoning is that we wanted to strengthen the
              guidance statements, to help CAs ensure compliant
              certificate generation.  Future reviews of the BRs may
              cull the requirements, as is required by the needs of the
              community. <o:p></o:p></span></li>
          <li class="paragraph" style="mso-list:l0 level1
            lfo1;vertical-align:baseline"><span class="normaltextrun">We
              believe that the requested date of November 15, 2023, will
              allow enough time for Certificate Authorities to enact any
              changes to their systems to ensure that they perform the
              weak key checks on all CSRs submitted for TLS
              certificates. <o:p></o:p></span></li>
          <li class="paragraph" style="mso-list:l0 level1
            lfo1;vertical-align:baseline"><span class="normaltextrun"><span
                style="font-size:12.0pt;color:black">The changes
                introduced in SC-59 do not conflict with any of the
                recent ballots. As observed with other ballots in the
                past, minor administrative updates must be made to the
                proposed ballot text before publication such that the
                appropriate Version # and Change History are accurately
                represented (e.g., to indicate these changes will be
                represented in Version 2.0.1). </span></span><span
              class="eop"><span style="font-size:12.0pt;color:black"> </span></span><o:p></o:p></li>
        </ul>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="eop"><span style="font-size:12.0pt">The following
              motion has been proposed by Thomas Zermeno of SSL.com and
              has been endorsed by Martijn Katerbarg of Sectigo and Ben
              Wilson of Mozilla. </span></span><span
            style="font-size:12.0pt"><o:p></o:p></span></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><b>- Motion Begins -</b> </span><span
            class="eop"> </span><o:p></o:p></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#0E101A">This
              ballot modifies the “Baseline Requirements for the
              Issuance and Management of Publicly-Trusted Certificates”
              (“Baseline Requirements”), based on Version 2.0.0.</span></span><span
            class="eop"><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#0E101A"> </span></span><o:p></o:p></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#0E101A">MODIFY
              the Baseline Requirements as specified in the following
              Redline: </span></span><a
href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a"
            target="_blank" moz-do-not-send="true"><span
              class="normaltextrun"><span style="color:#0563C1">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a</span></span></a><span
            class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
        <p><span class="normaltextrun"><b>- Motion Ends<span
                style="color:#0078D4"> -</span></b></span><span
            class="eop"> </span><span style="font-size:12.0pt"><br>
            <br>
            <span style="color:#0E101A">The procedure for approval of
              this ballot is as follows:</span><span style="color:black"><o:p></o:p></span></span></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><span style="font-size:12.0pt">Discussion
              (7 days) </span><o:p></o:p></span></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><span style="font-size:12.0pt">• Start
              time: 2023-06-26 22:00:00 UTC <o:p></o:p></span></span></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><span style="font-size:12.0pt">• End
              time: 2023-07-03 21:59:59 UTC</span></span><span
            class="scxw53035567"><span style="font-size:12.0pt"> </span></span><o:p></o:p></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><b><span style="font-size:12.0pt">Vote
                for approval (7 days)</span></b></span><span class="eop"><b><span
                style="font-size:12.0pt"> </span></b></span><b><span
              style="font-size:12.0pt"><o:p></o:p></span></b></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><b><span style="font-size:12.0pt">  • 
                Start Time:  2023-07-06 17:00:00</span></b></span><b><span
              style="font-size:12.0pt"><o:p></o:p></span></b></p>
        <p class="paragraph" style="vertical-align:baseline"><span
            class="normaltextrun"><b><span style="font-size:12.0pt">  • 
                End Time:   2023-07-13 16:59:59</span></b></span><span
            class="eop"><b><span style="font-size:12.0pt"> </span></b></span><b><span
              style="font-size:12.0pt"><o:p></o:p></span></b></p>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
      <br>
      <fieldset class="moz-mime-attachment-header"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>