[Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Sun Apr 28 06:21:59 UTC 2024


HARICA votes "yes" to ballot SC-073.

On 26/4/2024 3:00 π.μ., Wayne Thayer via Servercert-wg wrote:
>
> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the 
> Issuance and Management of Publicly-Trusted TLS Server Certificates 
> related to weak and compromised private keys. These changes lie 
> primarily in Section 6.1.1.3 <http://6.1.1.3>:
>
>  *
>
>     6.1.1.3(4) clarifies that, for the purpose of this requirement,
>     CAs shall be made aware of compromised keys using their existing
>     notification mechanism(s).
>
>  *
>
>     6.1.1.3(5) improves guidance for CAs around the detection of weak
>     keys. Should this ballot pass, these changes become effective on
>     November 15, 2024.
>
> Notes:
>
>  *
>
>     This ballot builds on the extensive work done by SSL.com in
>     creating ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions
>     are appreciated.
>
>  *
>
>     Thanks to Rob Stradling of Sectigo for the generation and
>     publication of the set of Debian weak keys referenced in this ballot.
>
>  *
>
>     The Debian weak keys requirements have been discussed extensively,
>     including in the following threads:
>     https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
>     <https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html>and
>     https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
>     <https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html>
>
>  *
>
>     This ballot does not appear to conflict with any other ballots
>     that are currently under discussion.
>
>
> The following motion has been proposed by Wayne Thayer of Fastly, and 
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” (“Baseline 
> Requirements”), based on Version 2.0.3.
>
> MODIFY the Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted TLS Server Certificates as specified in the following 
> Redline:
>
> Here is a link to the immutable GitHub redline: 
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0 
> <https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for 
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>  *
>
>     Start time: 2024-04-18 00:00:00 UTC
>
>  *
>
>     End time: 2024-04-26 00:00:00 UTC
>
> Vote for approval (7 days)
>
>  *
>
>     Start time: 2024-04-26 00:00:00 UTC
>
>   * End time: 2024-05-03 00:00:00 UTC
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240428/8e520bfd/attachment.html>


More information about the Servercert-wg mailing list