[cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Sat Nov 3 04:54:19 UTC 2012


Ben and Yngve -- it would have been much better if you had "withdrawn" the previous Ballot 93, and started again with a reposted Ballot 93 showing changes from the prior ballot, allowing 7 more days to review and 7 days to vote.

I am so confused by what's in Ballot 93 that we will sit this one out and not vote.

In the future, all ballots that are amended should start again.

-----Original Message-----
From: management-bounces at cabforum.org [mailto:management-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, November 01, 2012 11:26 PM
To: 'Mads Egil Henriksveen'; 'Rick Andrews'; 'Yngve N. Pettersen (Developer Opera Software ASA)'
Cc: 'CABFMAN'; public at cabforum.org
Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

What if Part E of Ballot 93 read,

1.  Add the following to Section 3. References

"NIST SP 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf
"

2.  Add the following after Appendix A, table (3):

"(4) 	General requirements for public keys (Effective 1 January 2013)
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more.  Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1.  The modulus SHOULD also have the following characteristics:  an odd number, not the power of a prime, and
have no factors smaller than 752.    [Source:  Section 5.3.3, NIST SP
800-89]."
?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Mads Egil Henriksveen
Sent: Wednesday, October 31, 2012 12:33 PM
To: Rick Andrews; Yngve N. Pettersen (Developer Opera Software ASA)
Cc: CABFMAN; public at cabforum.org
Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

Hi 

I do agree with Rick. 

And it is not clear to me which parts of the NIST document we must consider.
If it's only the public key recommendations in chapter 3.1, i.e. table 3.2 and the paragraph before, why not just include this in the BR (isn't this already included for RSA) and remove the reference to the NIST document?

The rest of this twenty-page document is mostly out-of-scope. 

Regards
Mads

-----Original Message-----
From: management-bounces at cabforum.org
[mailto:management-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: 31. oktober 2012 19:10
To: Yngve N. Pettersen (Developer Opera Software ASA)
Cc: CABFMAN; public at cabforum.org
Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
> Sent: Wednesday, October 31, 2012 8:53 AM
> To: Rick Andrews
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation 
> (BR issues 6, 8, 10, 21)
> 
> On Wed, 31 Oct 2012 16:31:35 +0100, Rick Andrews 
> <Rick_Andrews at symantec.com> wrote:
> 
> > Ben and Yngve,
> >
> > Thanks for the clarifications. I understand then that CAs can check
> for
> > coprime with phi(n) only for their own roots and intermediates, not
> for
> > end entity certs. But this ballot will require all CAs to check that
> the
> > exponent is odd and within that range for all end entity certs, 
> > effective immediately.
> 
> Which is essentially the current requirements in the referenced NIST 
> document.

Yngve, just for the record, that NIST document establishes requirements for Personal Identity Verification (PIV) for US Government agencies. It's a recommendation for everyone else, and does not explicitly mention SSL or TLS. I agree that its recommendations make sense for SSL certs too, but let's be clear that it does not impose any requirements on CAs who sell SSL certs, especially non-US CAs.

-Rick
_______________________________________________
Management mailing list
Management at cabforum.org
https://cabforum.org/mailman/listinfo/management
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Management mailing list
Management at cabforum.org
https://cabforum.org/mailman/listinfo/management
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>




More information about the Public mailing list