[cabfpub] Ballot 99: Add support for DSA keys

Moudrick M. Dadashov md at ssc.lt
Fri May 3 19:28:28 UTC 2013


SSC votes: "Yes".

Thanks,
M.D.
On 4/18/2013 8:21 PM, Rick Andrews wrote:
> Rick Andrews made the following motion, and Adam Langley from Google 
> and Erwann Abalea from Keynectis endorsed it:
> ... Motion Begins ...
> ... Erratum Begins ...
> In the Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted Certificates, Appendix A, add to each of the tables 
> (1) Root CA Certificates, (2) Subordinate CA Certificates, and (3) 
> Subscriber Certificates a new row with these three column entries 
> (comma-separated):
> Minimum DSA modulus and divisor size (bits) ***, L= 2048, N= 224 or L= 
> 2048, N= 256, L= 2048, N= 224 or L= 2048, N= 256
> Following Table 3, change the first sentence to read (++added language++):
> * SHA-1 MAY be used ++with RSA keys++ until SHA-256 is supported 
> widely by browsers used by a substantial portion of relying-parties 
> worldwide.
> After "** A Root CA Certificate issued...", add:
> *** L and N (the bit lengths of modulus p and divisor q, respectively) 
> are described in the Digital Signature Standard, FIPS 186-3 
> (_http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf_).
> To Section "(4) General requirements for public keys", add:
> DSA: Although FIPS 800-57 says that domain parameters may be made 
> available at some accessible site, compliant DSA certificates MUST 
> include all domain parameters. This is to insure maximum 
> interoperability among relying party software. The CA MUST confirm 
> that the value of the public key has the unique correct representation 
> and range in the field, and that the key has the correct order in the 
> subgroup. [Source: Section 5.3.1, NIST SP 800-89].
> ECC: The CA SHOULD confirm the validity of all keys using either the 
> ECC Full Public Key Validation Routine or the ECC Partial Public Key 
> Validation Routine. [Source: Sections 5.6.2.5 and 5.6.2.6, 
> respectively, NIST SP 800-56A].
> ... Erratum Ends ...
> PDF and Word versions of the proposed changes in redline are posted as 
> attachments to the wiki page 
> (_https://www.cabforum.org/wiki/99%20-%20Add%20DSA%20Keys_) and 
> attached to this email for easier reading.
> The review period for this ballot shall commence at 21:00 UTC on 19 
> April 2013 and will close at 21:00 UTC on 26 April 2013. Unless the 
> motion is withdrawn during the review period, the voting period will 
> start immediately thereafter and will close at 21:00 UTC on 3 May 
> 2013. Votes must be cast by posting an on-list reply to this thread.
> ... Motion ends ...
> A vote in favor of the motion must indicate a clear 'yes' in the 
> response.
> A vote against must indicate a clear 'no' in the response. A vote to 
> abstain must indicate a clear 'abstain' in the response. Unclear 
> responses will not be counted. The latest vote received from any 
> representative of a voting member before the close of the voting 
> period will be counted.
> Voting members are listed here: _http://www.cabforum.org/forum.html_
> In order for the motion to be adopted, two thirds or more of the votes 
> cast by members in the CA category and one half or more of the votes 
> cast by members in the browser category must be in favor. Also, at 
> least six members must participate in the ballot, either by voting in 
> favor, voting against or abstaining.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130503/a7e53997/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2457 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130503/a7e53997/attachment-0001.p7s>


More information about the Public mailing list