[cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Sat Nov 3 10:00:54 UTC 2012 

Kirk,

Compared to the text that was originally posted, the only changes are to  
the new Appendix A (4) and an additional reference (original point E),  
replacement text below (aka redline), and clearing up that the rest of the  
changes take effect immediately (which was posted before the original  
voting period started). The rest of the ballot text is the same as before.

The fundamental problem this time, and with Ballot 92, is that the real  
"discussion period" started a week too late for both ballots.

In this ballot, the actual problematic part was very limited, specifically  
to the inclusion by reference of the entire NIST document. That could be  
resolved with the changes suggested below by Ben.

As the problem area was so, specific we decided to extend the ballot,  
allowing a couple of days discussion period past the 13 days already used,  
to update the text.


On Sat, 03 Nov 2012 05:54:19 +0100, kirk_hall at trendmicro.com  
<kirk_hall at trendmicro.com> wrote:

> Ben and Yngve -- it would have been much better if you had "withdrawn"  
> the previous Ballot 93, and started again with a reposted Ballot 93  
> showing changes from the prior ballot, allowing 7 more days to review  
> and 7 days to vote.
>
> I am so confused by what's in Ballot 93 that we will sit this one out  
> and not vote.
>
> In the future, all ballots that are amended should start again.
>
> -----Original Message-----
> From: management-bounces at cabforum.org  
> [mailto:management-bounces at cabforum.org] On Behalf Of Ben Wilson
> Sent: Thursday, November 01, 2012 11:26 PM
> To: 'Mads Egil Henriksveen'; 'Rick Andrews'; 'Yngve N. Pettersen  
> (Developer Opera Software ASA)'
> Cc: 'CABFMAN'; public at cabforum.org
> Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation  
> (BR issues 6, 8, 10, 21)
>
> What if Part E of Ballot 93 read,
>
> 1.  Add the following to Section 3. References
>
> "NIST SP 800-89, Recommendation for Obtaining Assurances for Digital  
> Signature Applications,  
> http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf
> "
>
> 2.  Add the following after Appendix A, table (3):
>
> "(4) 	General requirements for public keys (Effective 1 January 2013)
> RSA: The CA SHALL confirm that the value of the public exponent is an  
> odd number equal to 3 or more.  Additionally, the public exponent SHOULD  
> be in the range between 2^16+1 and 2^256-1.  The modulus SHOULD also  
> have the following characteristics:  an odd number, not the power of a  
> prime, and
> have no factors smaller than 752.    [Source:  Section 5.3.3, NIST SP
> 800-89]."
> ?
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]  
> On Behalf Of Mads Egil Henriksveen
> Sent: Wednesday, October 31, 2012 12:33 PM
> To: Rick Andrews; Yngve N. Pettersen (Developer Opera Software ASA)
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation  
> (BR issues 6, 8, 10, 21)
>
> Hi
>
> I do agree with Rick.
>
> And it is not clear to me which parts of the NIST document we must  
> consider.
> If it's only the public key recommendations in chapter 3.1, i.e. table  
> 3.2 and the paragraph before, why not just include this in the BR (isn't  
> this already included for RSA) and remove the reference to the NIST  
> document?
>
> The rest of this twenty-page document is mostly out-of-scope.
>
> Regards
> Mads
>
> -----Original Message-----
> From: management-bounces at cabforum.org
> [mailto:management-bounces at cabforum.org] On Behalf Of Rick Andrews
> Sent: 31. oktober 2012 19:10
> To: Yngve N. Pettersen (Developer Opera Software ASA)
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation  
> (BR issues 6, 8, 10, 21)
>
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
>> Sent: Wednesday, October 31, 2012 8:53 AM
>> To: Rick Andrews
>> Cc: CABFMAN; public at cabforum.org
>> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation
>> (BR issues 6, 8, 10, 21)
>>
>> On Wed, 31 Oct 2012 16:31:35 +0100, Rick Andrews
>> <Rick_Andrews at symantec.com> wrote:
>>
>> > Ben and Yngve,
>> >
>> > Thanks for the clarifications. I understand then that CAs can check
>> for
>> > coprime with phi(n) only for their own roots and intermediates, not
>> for
>> > end entity certs. But this ballot will require all CAs to check that
>> the
>> > exponent is odd and within that range for all end entity certs,
>> > effective immediately.
>>
>> Which is essentially the current requirements in the referenced NIST
>> document.
>
> Yngve, just for the record, that NIST document establishes requirements  
> for Personal Identity Verification (PIV) for US Government agencies.  
> It's a recommendation for everyone else, and does not explicitly mention  
> SSL or TLS. I agree that its recommendations make sense for SSL certs  
> too, but let's be clear that it does not impose any requirements on CAs  
> who sell SSL certs, especially non-US CAs.
>
> -Rick
> _______________________________________________
> Management mailing list
> Management at cabforum.org
> https://cabforum.org/mailman/listinfo/management
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Management mailing list
> Management at cabforum.org
> https://cabforum.org/mailman/listinfo/management
> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is  
> confidential
> and may be subject to copyright or other intellectual property  
> protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply  
> mail or
> telephone and delete the original message from your mail system.
> </pre></td></tr></table>


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01
********************************************************************

More information about the Public mailing list