[Servercert-wg] [EXTERNAL] Voting Period Begins - Ballot SC-59 v2 "Weak Key Guidance"
Ryan Dickson
ryandickson at google.com
Wed Jul 12 13:21:00 UTC 2023
Google ABSTAINS on voting for Ballot SC-59 v2.
On Tue, Jul 11, 2023 at 4:24 PM Paul van Brouwershaven via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Entrust votes NO on Ballot SC-59 v2.
>
> While we are in compliance with the proposed requirements, we concur with
> others that it would be more beneficial to continue the recent discussion
> to prevent the need for another update to this section shortly after
> this ballot passes.
>
>
> ------------------------------
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Tom Zermeno via Servercert-wg <servercert-wg at cabforum.org>
> *Sent:* Thursday, July 6, 2023 18:17
> *To:* Infrastructure Bot via Servercert-wg <servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL] [Servercert-wg] Voting Period Begins - Ballot SC-59
> v2 "Weak Key Guidance"
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> ------------------------------
>
> *Purpose of the Ballot SC-59*
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates related to the
> identification and revocation of certificates with private keys that were
> generated in a manner that may make them susceptible to easy decryption. It
> specifically deals with Debian weak keys, ROCA, and Close Primes
> Vulnerability.
>
> Notes:
>
> - Thank you to the participants who voiced opinions and concerns about
> the previous version of the ballot. While there were many concerns about
> the inclusion of the Debian weak keys checks, we have decided to leave the
> checks in the ballot. Our reasoning is that we wanted to strengthen the
> guidance statements, to help CAs ensure compliant certificate generation.
> Future reviews of the BRs may cull the requirements, as is required by the
> needs of the community.
> - We believe that the requested date of November 15, 2023, will allow
> enough time for Certificate Authorities to enact any changes to their
> systems to ensure that they perform the weak key checks on all CSRs
> submitted for TLS certificates.
> - The changes introduced in SC-59 do not conflict with any of the
> recent ballots. As observed with other ballots in the past, minor
> administrative updates must be made to the proposed ballot text before
> publication such that the appropriate Version # and Change History are
> accurately represented (e.g., to indicate these changes will be represented
> in Version 2.0.1).
>
> The following motion has been proposed by Thomas Zermeno of SSL.com and
> has been endorsed by Martijn Katerbarg of Sectigo and Ben Wilson of
> Mozilla.
>
> *- Motion Begins -*
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.0.
>
> MODIFY the Baseline Requirements as specified in the following Redline:
> https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a
>
>
> *- Motion Ends -*
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7 days)
>
> • Start time: 2023-06-26 22:00:00 UTC
>
> • End time: 2023-07-03 21:59:59 UTC
>
> *Vote for approval (7 days)*
>
> * • Start Time: 2023-07-06 17:00:00*
>
> * • End Time: 2023-07-13 16:59:59*
>
>
> *Any email and files/attachments transmitted with it are intended solely
> for the use of the individual or entity to whom they are addressed. If this
> message has been sent to you in error, you must not copy, distribute or
> disclose of the information it contains. Please notify Entrust immediately
> and delete the message from your system.*
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230712/e3ad4a14/attachment.html>
More information about the Servercert-wg
mailing list