[Servercert-wg] Compromised/Weak Keys Ballot Proposal

Wayne Thayer wthayer at gmail.com
Tue Feb 13 00:08:25 UTC 2024


Thank you fo the feedback Aaron. I agree with both points you made in the
PR and have updated it to reflect your suggestions.

- Wayne

On Mon, Feb 12, 2024 at 12:27 PM Aaron Gable <aaron at letsencrypt.org> wrote:

> Thank you Wayne! I think this gets close to the sweet spot for me,
> personally. I've left two small comments on the ballot, but on the whole I
> think I like this approach.
>
> Thanks again,
> Aaron
>
> On Mon, Feb 12, 2024 at 8:18 AM Wayne Thayer via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Following up from the last SCWG teleconference, I've reviewed the
>> feedback from the discussion [1] and voting [2] periods for ballot SC-59
>> Weak Key Guidance, along with the prior discussions on the "made aware"
>> language in section 6.1.1.3 [3] and I would like to propose the following
>> Baseline Requirements improvements:
>>
>> * Scope the 6.1.1.3 "made aware" language to "made aware via the CA's
>> documented problem reporting mechanism". This addresses the concern that I
>> raised by limiting how a CA can be "made aware". [4]
>>
>> * Remove the Debian requirements from the prior weak keys ballot and
>> replace them with language that excludes Debian weak keys. Otherwise use
>> the language from the prior ballot, with the exception of a new effective
>> date. This consolidates feedback that CAs do desire the clarity that would
>> have been provided by the prior ballot, but many believe that the burden
>> for rejecting Debian weak keys exceeds the value of doing so at this point
>> in time.
>>
>> Here's the result: https://github.com/wthayer/servercert/pull/1/files
>>
>> Note that, while there has been discussion about completely removing weak
>> key checking requirements, there does not appear to be a consensus to do so.
>>
>> I would appreciate everyone's feedback on the proposal, and I am also
>> seeking endorsers.
>>
>> Thanks,
>>
>> Wayne
>>
>> [1]
>> https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003820.html
>> [2]
>> https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003857.html
>> [3]
>> https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003902.html
>> [4] https://github.com/cabforum/servercert/issues/442
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240212/6407afac/attachment-0001.html>


More information about the Servercert-wg mailing list