[cabfpub] Ballot 99: Add support for DSA keys
h-kamo at secom.co.jp
Thu May 2 08:02:04 UTC 2013
Secom Trust Systems votes Yes.
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Rick Andrews
> Sent: Friday, April 19, 2013 2:22 AM
> To: public at cabforum.org
> Subject: [cabfpub] Ballot 99: Add support for DSA keys
> Rick Andrews made the following motion, and Adam Langley from Google and Erwann
> Abalea from Keynectis endorsed it:
> ... Motion Begins ...
> ... Erratum Begins ...
> In the Baseline Requirements for the Issuance and Management of
> Publicly-Trusted Certificates, Appendix A, add to each of the tables (1) Root
> CA Certificates, (2) Subordinate CA Certificates, and (3) Subscriber
> Certificates a new row with these three column entries (comma-separated):
> Minimum DSA modulus and divisor size (bits) ***, L= 2048, N= 224 or L= 2048,
> N= 256, L= 2048, N= 224 or L= 2048, N= 256
> Following Table 3, change the first sentence to read (++added language++):
> * SHA-1 MAY be used ++with RSA keys++ until SHA-256 is supported widely by
> browsers used by a substantial portion of relying-parties worldwide.
> After "** A Root CA Certificate issued...", add:
> *** L and N (the bit lengths of modulus p and divisor q, respectively) are
> described in the Digital Signature Standard, FIPS 186-3
> <http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf> ).
> To Section "(4) General requirements for public keys", add:
> DSA: Although FIPS 800-57 says that domain parameters may be made available
> at some accessible site, compliant DSA certificates MUST include all domain
> parameters. This is to insure maximum interoperability among relying party
> software. The CA MUST confirm that the value of the public key has the unique
> correct representation and range in the field, and that the key has the correct
> order in the subgroup. [Source: Section 5.3.1, NIST SP 800-89].
> ECC: The CA SHOULD confirm the validity of all keys using either the ECC Full
> Public Key Validation Routine or the ECC Partial Public Key Validation Routine.
> [Source: Sections 126.96.36.199 and 188.8.131.52, respectively, NIST SP 800-56A].
> ... Erratum Ends ...
> PDF and Word versions of the proposed changes in redline are posted as
> attachments to the wiki page
> <https://www.cabforum.org/wiki/99%20-%20Add%20DSA%20Keys> ) and attached to
> this email for easier reading.
> The review period for this ballot shall commence at 21:00 UTC on 19 April 2013
> and will close at 21:00 UTC on 26 April 2013. Unless the motion is withdrawn
> during the review period, the voting period will start immediately thereafter
> and will close at 21:00 UTC on 3 May 2013. Votes must be cast by posting an
> on-list reply to this thread.
> ... Motion ends ...
> A vote in favor of the motion must indicate a clear 'yes' in the response.
> A vote against must indicate a clear 'no' in the response. A vote to abstain
> must indicate a clear 'abstain' in the response. Unclear responses will not
> be counted. The latest vote received from any representative of a voting member
> before the close of the voting period will be counted.
> Voting members are listed here: http://www.cabforum.org/forum.html
> In order for the motion to be adopted, two thirds or more of the votes cast
> by members in the CA category and one half or more of the votes cast by members
> in the browser category must be in favor. Also, at least six members must
> participate in the ballot, either by voting in favor, voting against or
More information about the Public