[cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

Ben Wilson ben at digicert.com
Wed Oct 31 11:43:17 MST 2012


Before we decide whether to extend voting on this ballot for one week and
make some more minor changes, there may be still a chance to salvage this
ballot by making those changes today.  I'll take a look.  Either way, I
don't think it will be appropriate to withdraw this ballot.  So stay tuned. 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Mads Egil Henriksveen
Sent: Wednesday, October 31, 2012 12:33 PM
To: Rick Andrews; Yngve N. Pettersen (Developer Opera Software ASA)
Cc: CABFMAN; public at cabforum.org
Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR
issues 6, 8, 10, 21)

Hi 

I do agree with Rick. 

And it is not clear to me which parts of the NIST document we must consider.
If it's only the public key recommendations in chapter 3.1, i.e. table 3.2
and the paragraph before, why not just include this in the BR (isn't this
already included for RSA) and remove the reference to the NIST document?

The rest of this twenty-page document is mostly out-of-scope. 

Regards
Mads

-----Original Message-----
From: management-bounces at cabforum.org
[mailto:management-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: 31. oktober 2012 19:10
To: Yngve N. Pettersen (Developer Opera Software ASA)
Cc: CABFMAN; public at cabforum.org
Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation (BR
issues 6, 8, 10, 21)

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
> Sent: Wednesday, October 31, 2012 8:53 AM
> To: Rick Andrews
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation 
> (BR issues 6, 8, 10, 21)
> 
> On Wed, 31 Oct 2012 16:31:35 +0100, Rick Andrews 
> <Rick_Andrews at symantec.com> wrote:
> 
> > Ben and Yngve,
> >
> > Thanks for the clarifications. I understand then that CAs can check
> for
> > coprime with phi(n) only for their own roots and intermediates, not
> for
> > end entity certs. But this ballot will require all CAs to check that
> the
> > exponent is odd and within that range for all end entity certs, 
> > effective immediately.
> 
> Which is essentially the current requirements in the referenced NIST 
> document.

Yngve, just for the record, that NIST document establishes requirements for
Personal Identity Verification (PIV) for US Government agencies. It's a
recommendation for everyone else, and does not explicitly mention SSL or
TLS. I agree that its recommendations make sense for SSL certs too, but
let's be clear that it does not impose any requirements on CAs who sell SSL
certs, especially non-US CAs.

-Rick
_______________________________________________
Management mailing list
Management at cabforum.org
https://cabforum.org/mailman/listinfo/management
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list