<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
HARICA votes "yes" to ballot SC-59 v2.<br>
<br>
Based on the information that has already been disclosed in the
course of this ballot, we believe that the tools are available for
every CA to achieve the goal of protecting Subscribers and Relying
Parties from using Debian weak keys, without too much effort. <a
moz-do-not-send="true"
href="https://github.com/HARICA-official/debian-weak-keys">HARICA</a>
has shared some of that work and the same applies for <a
moz-do-not-send="true"
href="https://github.com/CVE-2008-0166/private_keys">Sectigo</a>.
We consider the clarifications provided in this ballot very useful
and they should be adopted as soon as possible.<br>
<br>
We would also like to echo that the value of protecting specifically
against Debian weak keys in 2023, is very minor and we would support
removing this requirement (for Debian weak keys) in the future.<br>
<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 6/7/2023 7:17 μ.μ., Tom Zermeno via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:010001892bfeb0a0-d91aac53-1f9c-4057-ba75-2715887d20a9-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.normaltextrun
{mso-style-name:normaltextrun;}span.eop
{mso-style-name:eop;}span.scxw53035567
{mso-style-name:scxw53035567;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><b><span style="font-size:12.0pt">Purpose
of the Ballot SC-59<o:p></o:p></span></b></span></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="font-size:12.0pt">This
ballot proposes updates to the Baseline Requirements for
the Issuance and Management of Publicly-Trusted
Certificates related to the identification and revocation
of certificates with private keys that were generated in a
manner that may make them susceptible to easy decryption.
It specifically deals with Debian weak keys, ROCA, and
Close Primes Vulnerability. <o:p></o:p></span></span></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="font-size:12.0pt">Notes:
</span></span> <span class="normaltextrun"><span
style="font-size:12.0pt"><o:p></o:p></span></span></p>
<ul type="disc">
<li class="paragraph" style="mso-list:l0 level1
lfo1;vertical-align:baseline"><span class="normaltextrun">Thank
you to the participants who voiced opinions and concerns
about the previous version of the ballot. While there
were many concerns about the inclusion of the Debian weak
keys checks, we have decided to leave the checks in the
ballot. Our reasoning is that we wanted to strengthen the
guidance statements, to help CAs ensure compliant
certificate generation. Future reviews of the BRs may
cull the requirements, as is required by the needs of the
community. <o:p></o:p></span></li>
<li class="paragraph" style="mso-list:l0 level1
lfo1;vertical-align:baseline"><span class="normaltextrun">We
believe that the requested date of November 15, 2023, will
allow enough time for Certificate Authorities to enact any
changes to their systems to ensure that they perform the
weak key checks on all CSRs submitted for TLS
certificates. <o:p></o:p></span></li>
<li class="paragraph" style="mso-list:l0 level1
lfo1;vertical-align:baseline"><span class="normaltextrun"><span
style="font-size:12.0pt;color:black">The changes
introduced in SC-59 do not conflict with any of the
recent ballots. As observed with other ballots in the
past, minor administrative updates must be made to the
proposed ballot text before publication such that the
appropriate Version # and Change History are accurately
represented (e.g., to indicate these changes will be
represented in Version 2.0.1). </span></span><span
class="eop"><span style="font-size:12.0pt;color:black"> </span></span><o:p></o:p></li>
</ul>
<p class="paragraph" style="vertical-align:baseline"><span
class="eop"><span style="font-size:12.0pt">The following
motion has been proposed by Thomas Zermeno of SSL.com and
has been endorsed by Martijn Katerbarg of Sectigo and Ben
Wilson of Mozilla. </span></span><span
style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><b>- Motion Begins -</b> </span><span
class="eop"> </span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#0E101A">This
ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates”
(“Baseline Requirements”), based on Version 2.0.0.</span></span><span
class="eop"><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#0E101A"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#0E101A">MODIFY
the Baseline Requirements as specified in the following
Redline: </span></span><a
href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a"
target="_blank" moz-do-not-send="true"><span
class="normaltextrun"><span style="color:#0563C1">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a</span></span></a><span
class="normaltextrun"> </span><span class="eop"> </span><o:p></o:p></p>
<p><span class="normaltextrun"><b>- Motion Ends<span
style="color:#0078D4"> -</span></b></span><span
class="eop"> </span><span style="font-size:12.0pt"><br>
<br>
<span style="color:#0E101A">The procedure for approval of
this ballot is as follows:</span><span style="color:black"><o:p></o:p></span></span></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="font-size:12.0pt">Discussion
(7 days) </span><o:p></o:p></span></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="font-size:12.0pt">• Start
time: 2023-06-26 22:00:00 UTC <o:p></o:p></span></span></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><span style="font-size:12.0pt">• End
time: 2023-07-03 21:59:59 UTC</span></span><span
class="scxw53035567"><span style="font-size:12.0pt"> </span></span><o:p></o:p></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><b><span style="font-size:12.0pt">Vote
for approval (7 days)</span></b></span><span class="eop"><b><span
style="font-size:12.0pt"> </span></b></span><b><span
style="font-size:12.0pt"><o:p></o:p></span></b></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><b><span style="font-size:12.0pt"> •
Start Time: 2023-07-06 17:00:00</span></b></span><b><span
style="font-size:12.0pt"><o:p></o:p></span></b></p>
<p class="paragraph" style="vertical-align:baseline"><span
class="normaltextrun"><b><span style="font-size:12.0pt"> •
End Time: 2023-07-13 16:59:59</span></b></span><span
class="eop"><b><span style="font-size:12.0pt"> </span></b></span><b><span
style="font-size:12.0pt"><o:p></o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>