[Servercert-wg] Voting Period Begins - Ballot SC-59 v2 "Weak Key Guidance"

Yoshiro YONEYA yoshiro.yoneya at jprs.co.jp
Thu Jul 13 04:26:20 UTC 2023

JPRS votes NO to Ballot SC-59 v2.

Like some others commented, we think it would be more beneficial to continue discussion on "Weak Key Guidance" for the stability of BR.

Yoshiro YONEYA <yoshiro.yoneya at jprs.co.jp>

On Thu, 6 Jul 2023 16:17:39 +0000 Tom Zermeno via Servercert-wg <servercert-wg at cabforum.org> wrote:

> Purpose of the Ballot SC-59
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates related to the
> identification and revocation of certificates with private keys that were
> generated in a manner that may make them susceptible to easy decryption. It
> specifically deals with Debian weak keys, ROCA, and Close Primes
> Vulnerability. 
> Notes:  
> *	Thank you to the participants who voiced opinions and concerns about
> the previous version of the ballot.  While there were many concerns about
> the inclusion of the Debian weak keys checks, we have decided to leave the
> checks in the ballot.  Our reasoning is that we wanted to strengthen the
> guidance statements, to help CAs ensure compliant certificate generation.
> Future reviews of the BRs may cull the requirements, as is required by the
> needs of the community. 
> *	We believe that the requested date of November 15, 2023, will allow
> enough time for Certificate Authorities to enact any changes to their
> systems to ensure that they perform the weak key checks on all CSRs
> submitted for TLS certificates. 
> *	The changes introduced in SC-59 do not conflict with any of the
> recent ballots. As observed with other ballots in the past, minor
> administrative updates must be made to the proposed ballot text before
> publication such that the appropriate Version # and Change History are
> accurately represented (e.g., to indicate these changes will be represented
> in Version 2.0.1).  
> The following motion has been proposed by Thomas Zermeno of SSL.com and has
> been endorsed by Martijn Katerbarg of Sectigo and Ben Wilson of Mozilla. 
> - Motion Begins -  
> This ballot modifies the "Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates" ("Baseline Requirements"),
> based on Version 2.0.0. 
> MODIFY the Baseline Requirements as specified in the following Redline:
> <https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b
> 68d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a>
> https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b6
> 8d0224fa0b3...SSLcom:servercert:958e6ccac857b826fead6e4bd06d58f4fdd7fa7a  
> - Motion Ends - 
> The procedure for approval of this ballot is as follows:
> Discussion (7 days) 
> . Start time: 2023-06-26 22:00:00 UTC 
> . End time: 2023-07-03 21:59:59 UTC 
> Vote for approval (7 days) 
>   .  Start Time:  2023-07-06 17:00:00
>   .  End Time:   2023-07-13 16:59:59 

More information about the Servercert-wg mailing list