[cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)
Rick Andrews
Rick_Andrews at symantec.com
Wed Oct 31 18:10:05 UTC 2012
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
> Sent: Wednesday, October 31, 2012 8:53 AM
> To: Rick Andrews
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation
> (BR issues 6, 8, 10, 21)
>
> On Wed, 31 Oct 2012 16:31:35 +0100, Rick Andrews
> <Rick_Andrews at symantec.com> wrote:
>
> > Ben and Yngve,
> >
> > Thanks for the clarifications. I understand then that CAs can check
> for
> > coprime with phi(n) only for their own roots and intermediates, not
> for
> > end entity certs. But this ballot will require all CAs to check that
> the
> > exponent is odd and within that range for all end entity certs,
> > effective immediately.
>
> Which is essentially the current requirements in the referenced NIST
> document.
Yngve, just for the record, that NIST document establishes requirements for Personal Identity Verification (PIV) for US Government agencies. It's a recommendation for everyone else, and does not explicitly mention SSL or TLS. I agree that its recommendations make sense for SSL certs too, but let's be clear that it does not impose any requirements on CAs who sell SSL certs, especially non-US CAs.
-Rick
More information about the Public
mailing list