[cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

Ben Wilson ben at digicert.com
Thu Nov 1 20:25:34 MST 2012


What if Part E of Ballot 93 read,

1.  Add the following to Section 3. References

"NIST SP 800-89, Recommendation for Obtaining Assurances for Digital
Signature Applications, 
http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf
"

2.  Add the following after Appendix A, table (3):

"(4) 	General requirements for public keys (Effective 1 January 2013)
RSA: The CA SHALL confirm that the value of the public exponent is an odd
number equal to 3 or more.  Additionally, the public exponent SHOULD be in
the range between 2^16+1 and 2^256-1.  The modulus SHOULD also have the
following characteristics:  an odd number, not the power of a prime, and
have no factors smaller than 752.    [Source:  Section 5.3.3, NIST SP
800-89]."
?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Mads Egil Henriksveen
Sent: Wednesday, October 31, 2012 12:33 PM
To: Rick Andrews; Yngve N. Pettersen (Developer Opera Software ASA)
Cc: CABFMAN; public at cabforum.org
Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR
issues 6, 8, 10, 21)

Hi 

I do agree with Rick. 

And it is not clear to me which parts of the NIST document we must consider.
If it's only the public key recommendations in chapter 3.1, i.e. table 3.2
and the paragraph before, why not just include this in the BR (isn't this
already included for RSA) and remove the reference to the NIST document?

The rest of this twenty-page document is mostly out-of-scope. 

Regards
Mads

-----Original Message-----
From: management-bounces at cabforum.org
[mailto:management-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: 31. oktober 2012 19:10
To: Yngve N. Pettersen (Developer Opera Software ASA)
Cc: CABFMAN; public at cabforum.org
Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation (BR
issues 6, 8, 10, 21)

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
> Sent: Wednesday, October 31, 2012 8:53 AM
> To: Rick Andrews
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation 
> (BR issues 6, 8, 10, 21)
> 
> On Wed, 31 Oct 2012 16:31:35 +0100, Rick Andrews 
> <Rick_Andrews at symantec.com> wrote:
> 
> > Ben and Yngve,
> >
> > Thanks for the clarifications. I understand then that CAs can check
> for
> > coprime with phi(n) only for their own roots and intermediates, not
> for
> > end entity certs. But this ballot will require all CAs to check that
> the
> > exponent is odd and within that range for all end entity certs, 
> > effective immediately.
> 
> Which is essentially the current requirements in the referenced NIST 
> document.

Yngve, just for the record, that NIST document establishes requirements for
Personal Identity Verification (PIV) for US Government agencies. It's a
recommendation for everyone else, and does not explicitly mention SSL or
TLS. I agree that its recommendations make sense for SSL certs too, but
let's be clear that it does not impose any requirements on CAs who sell SSL
certs, especially non-US CAs.

-Rick
_______________________________________________
Management mailing list
Management at cabforum.org
https://cabforum.org/mailman/listinfo/management
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list