[Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

Yoshihiko Matsuo yoshihiko at jprs.co.jp
Thu May 2 04:35:52 UTC 2024 

JPRS votes YES to Ballot SC-073

Yoshihiko Matsuo

On 2024/04/26 9:00, Wayne Thayer via Servercert-wg wrote:
> Purpose of Ballot SC-073
> 
> This ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates related to weak and compromised private keys. These changes lie primarily in Section 6.1.1.3 <http://6.1.1.3>:
> 
>   *
> 
>     6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall be made aware of compromised keys using their existing notification mechanism(s).
> 
>   *
> 
>     6.1.1.3(5) improves guidance for CAs around the detection of weak keys. Should this ballot pass, these changes become effective on November 15, 2024.
> 
> Notes:
> 
>   *
> 
>     This ballot builds on the extensive work done by SSL.com in creating ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
> 
>   *
> 
>     Thanks to Rob Stradling of Sectigo for the generation and publication of the set of Debian weak keys referenced in this ballot.
> 
>   *
> 
>     The Debian weak keys requirements have been discussed extensively, including in the following threads: https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html <https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html>and https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html <https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html>
> 
>   *
> 
>     This ballot does not appear to conflict with any other ballots that are currently under discussion.
> 
> 
> The following motion has been proposed by Wayne Thayer of Fastly, and endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
> 
> — Motion Begins —
> 
> This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.3.
> 
> MODIFY the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates as specified in the following Redline:
> 
> Here is a link to the immutable GitHub redline: https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0 <https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0>
> 
> — Motion Ends —
> 
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
> 
> Discussion (7+ days)
> 
>   *
> 
>     Start time: 2024-04-18 00:00:00 UTC
> 
>   *
> 
>     End time: 2024-04-26 00:00:00 UTC
> 
> Vote for approval (7 days)
> 
>   *
> 
>     Start time: 2024-04-26 00:00:00 UTC
> 
>   * End time: 2024-05-03 00:00:00 UTC
> 
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg

More information about the Servercert-wg mailing list