[Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Sun Apr 28 06:21:59 UTC 2024
HARICA votes "yes" to ballot SC-073.
On 26/4/2024 3:00 π.μ., Wayne Thayer via Servercert-wg wrote:
>
> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the
> Issuance and Management of Publicly-Trusted TLS Server Certificates
> related to weak and compromised private keys. These changes lie
> primarily in Section 6.1.1.3 <http://6.1.1.3>:
>
> *
>
> 6.1.1.3(4) clarifies that, for the purpose of this requirement,
> CAs shall be made aware of compromised keys using their existing
> notification mechanism(s).
>
> *
>
> 6.1.1.3(5) improves guidance for CAs around the detection of weak
> keys. Should this ballot pass, these changes become effective on
> November 15, 2024.
>
> Notes:
>
> *
>
> This ballot builds on the extensive work done by SSL.com in
> creating ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions
> are appreciated.
>
> *
>
> Thanks to Rob Stradling of Sectigo for the generation and
> publication of the set of Debian weak keys referenced in this ballot.
>
> *
>
> The Debian weak keys requirements have been discussed extensively,
> including in the following threads:
> https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
> <https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html>and
> https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
> <https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html>
>
> *
>
> This ballot does not appear to conflict with any other ballots
> that are currently under discussion.
>
>
> The following motion has been proposed by Wayne Thayer of Fastly, and
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline
> Requirements”), based on Version 2.0.3.
>
> MODIFY the Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates as specified in the following
> Redline:
>
> Here is a link to the immutable GitHub redline:
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
> <https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> *
>
> Start time: 2024-04-18 00:00:00 UTC
>
> *
>
> End time: 2024-04-26 00:00:00 UTC
>
> Vote for approval (7 days)
>
> *
>
> Start time: 2024-04-26 00:00:00 UTC
>
> * End time: 2024-05-03 00:00:00 UTC
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240428/8e520bfd/attachment.html>
More information about the Servercert-wg
mailing list