[cabfpub] [cabfman] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Wed Oct 31 18:32:57 UTC 2012 

Hi 

I do agree with Rick. 

And it is not clear to me which parts of the NIST document we must consider. If it's only the public key recommendations in chapter 3.1, i.e. table 3.2 and the paragraph before, why not just include this in the BR (isn't this already included for RSA) and remove the reference to the NIST document?

The rest of this twenty-page document is mostly out-of-scope. 

Regards
Mads

-----Original Message-----
From: management-bounces at cabforum.org [mailto:management-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: 31. oktober 2012 19:10
To: Yngve N. Pettersen (Developer Opera Software ASA)
Cc: CABFMAN; public at cabforum.org
Subject: Re: [cabfman] [cabfpub] Ballot [93] - Reasons for Revocation (BR issues 6, 8, 10, 21)

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA)
> Sent: Wednesday, October 31, 2012 8:53 AM
> To: Rick Andrews
> Cc: CABFMAN; public at cabforum.org
> Subject: Re: [cabfpub] [cabfman] Ballot [93] - Reasons for Revocation 
> (BR issues 6, 8, 10, 21)
> 
> On Wed, 31 Oct 2012 16:31:35 +0100, Rick Andrews 
> <Rick_Andrews at symantec.com> wrote:
> 
> > Ben and Yngve,
> >
> > Thanks for the clarifications. I understand then that CAs can check
> for
> > coprime with phi(n) only for their own roots and intermediates, not
> for
> > end entity certs. But this ballot will require all CAs to check that
> the
> > exponent is odd and within that range for all end entity certs, 
> > effective immediately.
> 
> Which is essentially the current requirements in the referenced NIST 
> document.

Yngve, just for the record, that NIST document establishes requirements for Personal Identity Verification (PIV) for US Government agencies. It's a recommendation for everyone else, and does not explicitly mention SSL or TLS. I agree that its recommendations make sense for SSL certs too, but let's be clear that it does not impose any requirements on CAs who sell SSL certs, especially non-US CAs.

-Rick
_______________________________________________
Management mailing list
Management at cabforum.org
https://cabforum.org/mailman/listinfo/management

More information about the Public mailing list