[Servercert-wg] Compromised/Weak Keys Ballot Proposal

Wayne Thayer wthayer at gmail.com
Mon Feb 12 16:18:08 UTC 2024

Following up from the last SCWG teleconference, I've reviewed the feedback
from the discussion [1] and voting [2] periods for ballot SC-59 Weak Key
Guidance, along with the prior discussions on the "made aware" language in
section [3] and I would like to propose the following Baseline
Requirements improvements:

* Scope the "made aware" language to "made aware via the CA's
documented problem reporting mechanism". This addresses the concern that I
raised by limiting how a CA can be "made aware". [4]

* Remove the Debian requirements from the prior weak keys ballot and
replace them with language that excludes Debian weak keys. Otherwise use
the language from the prior ballot, with the exception of a new effective
date. This consolidates feedback that CAs do desire the clarity that would
have been provided by the prior ballot, but many believe that the burden
for rejecting Debian weak keys exceeds the value of doing so at this point
in time.

Here's the result: https://github.com/wthayer/servercert/pull/1/files

Note that, while there has been discussion about completely removing weak
key checking requirements, there does not appear to be a consensus to do so.

I would appreciate everyone's feedback on the proposal, and I am also
seeking endorsers.



[1] https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003820.html
[2] https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003857.html
[3] https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003902.html
[4] https://github.com/cabforum/servercert/issues/442
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240212/45bb373d/attachment.html>

More information about the Servercert-wg mailing list