[Servercert-wg] Questions about spring cleanup ballot and 6.1.1.3
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu May 14 10:31:03 MST 2020
I just had a quick review of
https://github.com/sleevi/cabforum-docs/pull/12/commits/48d12dc25dc458f163b852ea2487473cc084f112
which moves some requirements from 4.9.1.1 into 6.1.1.3.
I believe this change brings a significant normative change to the BRs.
According to 4.9.1.1, if an already issued certificate is demonstrated
to be using a compromised key, it must be revoked. If this moves to
6.1.1.3, the CA MUST PREVENT such a certificate from being issued in the
first place.
The current language of 6.1.1.3 seems to already be quite ambiguous
about the minimum expectations a CA has to follow, to prevent things
like "Debian weak keys", as we saw in the parallel thread
<https://cabforum.org/pipermail/servercert-wg/2020-April/001821.html>.
Adding more vague requirements without auditable criteria is not a good
improvement.
I think we should invest time and effort to improve the language of
6.1.1.3 separately from this cleanup/clarifications ballot.
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200514/7253369c/attachment.html>
More information about the Servercert-wg
mailing list