[Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

Inigo Barreira Inigo.Barreira at sectigo.com
Fri May 3 11:35:43 UTC 2024


Hi Tsung-Min,



Unfortunately, this vote can´t be counted because has been received past
the end date.



Regards



De: Servercert-wg <servercert-wg-bounces at cabforum.org> En nombre de ??? via
Servercert-wg
Enviado el: viernes, 3 de mayo de 2024 3:45
Para: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org>
Asunto: Re: [Servercert-wg] Voting Period Begins - Ballot SC-073:
Compromised and Weak Keys



CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.



Chunghwa Telecom votes ‘no’ on Ballot SC-073.



Tsung-Min Kuo



From: Servercert-wg <servercert-wg-bounces at cabforum.org
<mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Wayne Thayer via
Servercert-wg
Sent: Friday, April 26, 2024 2:00 AM
To: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised
and Weak Keys



Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates related to weak
and compromised private keys. These changes lie primarily in Section 6.1.1.3
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F6.1.1.3%2F
&data=05%7C02%7Cinigo.barreira%40sectigo.com%7Ca7c4fd83aa94478189c608dc6b12b
580%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638502975313269287%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C0%7C%7C%7C&sdata=XsHguBpbFzTu1KX7GDl9vh4Cz8WTzSRomCzAPvh4KwA%3D&res
erved=0> :

*	6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
shall be made aware of compromised keys using their existing notification
mechanism(s).
*	6.1.1.3(5) improves guidance for CAs around the detection of weak
keys. Should this ballot pass, these changes become effective on November
15, 2024.

Notes:

*	This ballot builds on the extensive work done by SSL.com in creating
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
*	Thanks to Rob Stradling of Sectigo for the generation and
publication of the set of Debian weak keys referenced in this ballot.
*	The Debian weak keys requirements have been discussed extensively,
including in the following threads:
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-March%2F004291.html&data=05%7C0
2%7Cinigo.barreira%40sectigo.com%7Ca7c4fd83aa94478189c608dc6b12b580%7C0e9c48
946caa465d96604b6968b49fb7%7C0%7C0%7C638502975313281535%7CUnknown%7CTWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
C%7C%7C&sdata=kuaRbNhWpVAuQPa4xzdso6W9vYTO1WkXiYoDM7Kp%2BRY%3D&reserved=0>
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
and
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-April%2F004422.html&data=05%7C0
2%7Cinigo.barreira%40sectigo.com%7Ca7c4fd83aa94478189c608dc6b12b580%7C0e9c48
946caa465d96604b6968b49fb7%7C0%7C0%7C638502975313290247%7CUnknown%7CTWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
C%7C%7C&sdata=Yx6buWDf7d2U%2FLNpKUah9SBqKasSXxW9xPQS0fZL9MU%3D&reserved=0>
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
*	This ballot does not appear to conflict with any other ballots that
are currently under discussion.



The following motion has been proposed by Wayne Thayer of Fastly, and
endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

- Motion Begins -

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
based on Version 2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates as specified in the following
Redline:

Here is a link to the immutable GitHub redline:
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807
c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

- Motion Ends -

This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:

Discussion (7+ days)

*	Start time: 2024-04-18 00:00:00 UTC
*	End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*	Start time: 2024-04-26 00:00:00 UTC
*	End time: 2024-05-03 00:00:00 UTC





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240503/8cf31165/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240503/8cf31165/attachment-0001.p7s>


More information about the Servercert-wg mailing list