[Servercert-wg] SC-59 Weak Key Guidance v.2 - Discussion Period

[Wayne Thayer]

On Wed, Jul 5, 2023 at 2:15 PM Clint Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> I agree with the ballot author(s) and endorsers. This ballot is focused on
> addressing gaps in the current BRs related to overall weak key guidance
> (not just Debian weak key checks). The topic of removing the requirement
> for Debian weak key checking is separate from what I understand the intent
> and goal of this ballot to ever have been and should be addressed in its
> own ballot.
>
> Is the concern from CAs that the Debian weak key requirements in this
> ballot are meaningfully different than what they’re doing today, and they’d
> like to avoid doing that work? If so, can you explain what the
> difference(s) is and what impact it’s expected to have for your CA?
>
>
I don't want to speak for Christophe, but the proposed requirements for
checking Debian weak keys are clearly more prescriptive and will at a
minimum require any diligent CA to evaluate their implementation to verify
compliance. I don't think it's unreasonable to assume that some CAs will
need to make changes to fully comply. Given the debate about the value of
this requirement, moving ahead is a suboptimal use of CA resources.

Suggestion: Perhaps the specifics could be removed from the Debian weak
keys list item in this ballot and deferred to a future ballot that either
completely removes, or adds the desired detail to the requirement?

Thanks,

Wayne


> FWIW my read of the current situation is that I don’t think there’s
> consensus to remove Debian weak key checks at this time, but I do think
> there’s at least rough consensus that it’s a topic worth
> discussing/pursuing.
>
> Thanks,
> -Clint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230705/1d5950b2/attachment.html>