[cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

Yngve Nysaeter Pettersen yngve at opera.com
Fri Nov 2 04:25:21 MST 2012 

Looks OK to me.


On Fri, 02 Nov 2012 04:25:34 +0100, Ben Wilson <ben at digicert.com> wrote:

> What if Part E of Ballot 93 read,
>
> 1.  Add the following to Section 3. References
>
> "NIST SP 800-89, Recommendation for Obtaining Assurances for Digital
> Signature Applications,
> http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf
> "
>
> 2.  Add the following after Appendix A, table (3):
>
> "(4) 	General requirements for public keys (Effective 1 January 2013)
> RSA: The CA SHALL confirm that the value of the public exponent is an odd
> number equal to 3 or more.  Additionally, the public exponent SHOULD be  
> in
> the range between 2^16+1 and 2^256-1.  The modulus SHOULD also have the
> following characteristics:  an odd number, not the power of a prime, and
> have no factors smaller than 752.    [Source:  Section 5.3.3, NIST SP
> 800-89]."
> ?
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Mads Egil Henriksveen
> Sent: Wednesday, October 31, 2012 12:33 PM
> To: Rick Andrews; Yngve N. Pettersen (Developer Opera Software ASA)
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR
> issues 6, 8, 10, 21)
>
> Hi
>
> I do agree with Rick.
>
> And it is not clear to me which parts of the NIST document we must  
> consider.
> If it's only the public key recommendations in chapter 3.1, i.e. table  
> 3.2
> and the paragraph before, why not just include this in the BR (isn't this
> already included for RSA) and remove the reference to the NIST document?
>
> The rest of this twenty-page document is mostly out-of-scope.
>
> Regards
> Mads
>
> -----Original Message-----
> From: management-bounces at cabforum.org
> [mailto:management-bounces at cabforum.org] On Behalf Of Rick Andrews
> Sent: 31. oktober 2012 19:10
> To: Yngve N. Pettersen (Developer Opera Software ASA)
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation (BR
> issues 6, 8, 10, 21)
>
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
>> Sent: Wednesday, October 31, 2012 8:53 AM
>> To: Rick Andrews
>> Cc: CABFMAN; public at cabforum.org
>> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation
>> (BR issues 6, 8, 10, 21)
>>
>> On Wed, 31 Oct 2012 16:31:35 +0100, Rick Andrews
>> <Rick_Andrews at symantec.com> wrote:
>>
>> > Ben and Yngve,
>> >
>> > Thanks for the clarifications. I understand then that CAs can check
>> for
>> > coprime with phi(n) only for their own roots and intermediates, not
>> for
>> > end entity certs. But this ballot will require all CAs to check that
>> the
>> > exponent is odd and within that range for all end entity certs,
>> > effective immediately.
>>
>> Which is essentially the current requirements in the referenced NIST
>> document.
>
> Yngve, just for the record, that NIST document establishes requirements  
> for
> Personal Identity Verification (PIV) for US Government agencies. It's a
> recommendation for everyone else, and does not explicitly mention SSL or
> TLS. I agree that its recommendations make sense for SSL certs too, but
> let's be clear that it does not impose any requirements on CAs who sell  
> SSL
> certs, especially non-US CAs.
>
> -Rick
> _______________________________________________
> Management mailing list
> Management at cabforum.org
> https://cabforum.org/mailman/listinfo/management
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01
********************************************************************

More information about the Public mailing list