[Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

Inigo Barreira Inigo.Barreira at sectigo.com
Fri May 3 11:44:25 UTC 2024


Hi,

 

Would like to know who voted on behalf of CFCA, can you provide? I can´t find this name on the list.

 

Regards

 

De: Servercert-wg <servercert-wg-bounces at cabforum.org> En nombre de ??? via Servercert-wg
Enviado el: domingo, 28 de abril de 2024 11:24
Para: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Asunto: Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

CFCA votes "yes".





-----原始邮件-----
发件人: "Wayne Thayer via Servercert-wg" <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
发送时间: 2024-04-26 08:00:26 (星期五)
收件人: "CA/B Forum Server Certificate WG Public Discussion List" <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
主题: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates related to weak and compromised private keys. These changes lie primarily in Section 6.1.1.3 <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F6.1.1.3%2F&data=05%7C02%7Cinigo.barreira%40sectigo.com%7C6557f42327d54e71b50d08dc6764ee0c%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638498930400424129%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2B5LNo%2FCaCOkUyiiX%2B5zB8Uzhqs2SLo1Wqyq6djmB8gg%3D&reserved=0> :

*	6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall be made aware of compromised keys using their existing notification mechanism(s).
*	6.1.1.3(5) improves guidance for CAs around the detection of weak keys. Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

*	This ballot builds on the extensive work done by SSL.com in creating ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
*	Thanks to Rob Stradling of Sectigo for the generation and publication of the set of Debian weak keys referenced in this ballot.
*	The Debian weak keys requirements have been discussed extensively, including in the following threads:  <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2024-March%2F004291.html&data=05%7C02%7Cinigo.barreira%40sectigo.com%7C6557f42327d54e71b50d08dc6764ee0c%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638498930400435454%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Sboclo8yfSdE%2Bb4EBG0eQ6aLLXjt5sGvaiqoWuiQBKc%3D&reserved=0> https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and  <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2024-April%2F004422.html&data=05%7C02%7Cinigo.barreira%40sectigo.com%7C6557f42327d54e71b50d08dc6764ee0c%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638498930400443529%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=18x%2BF2rFQUdPfm5h4L7bQ8eckpIIPw%2Fp1zMUUUK5yKo%3D&reserved=0> https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
*	This ballot does not appear to conflict with any other ballots that are currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0 

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (7+ days)

*	Start time: 2024-04-18 00:00:00 UTC
*	End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*	Start time: 2024-04-26 00:00:00 UTC
*	End time: 2024-05-03 00:00:00 UTC

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240503/8b245c48/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240503/8b245c48/attachment-0001.p7s>


More information about the Servercert-wg mailing list