[Servercert-wg] Compromised/Weak Keys Ballot Proposal

Aaron Gable aaron at letsencrypt.org
Mon Feb 12 19:27:35 UTC 2024

Thank you Wayne! I think this gets close to the sweet spot for me,
personally. I've left two small comments on the ballot, but on the whole I
think I like this approach.

Thanks again,

On Mon, Feb 12, 2024 at 8:18 AM Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Following up from the last SCWG teleconference, I've reviewed the feedback
> from the discussion [1] and voting [2] periods for ballot SC-59 Weak Key
> Guidance, along with the prior discussions on the "made aware" language in
> section [3] and I would like to propose the following Baseline
> Requirements improvements:
> * Scope the "made aware" language to "made aware via the CA's
> documented problem reporting mechanism". This addresses the concern that I
> raised by limiting how a CA can be "made aware". [4]
> * Remove the Debian requirements from the prior weak keys ballot and
> replace them with language that excludes Debian weak keys. Otherwise use
> the language from the prior ballot, with the exception of a new effective
> date. This consolidates feedback that CAs do desire the clarity that would
> have been provided by the prior ballot, but many believe that the burden
> for rejecting Debian weak keys exceeds the value of doing so at this point
> in time.
> Here's the result: https://github.com/wthayer/servercert/pull/1/files
> Note that, while there has been discussion about completely removing weak
> key checking requirements, there does not appear to be a consensus to do so.
> I would appreciate everyone's feedback on the proposal, and I am also
> seeking endorsers.
> Thanks,
> Wayne
> [1]
> https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003820.html
> [2]
> https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003857.html
> [3]
> https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003902.html
> [4] https://github.com/cabforum/servercert/issues/442
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240212/766898bf/attachment.html>

More information about the Servercert-wg mailing list