Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

2024-04-26 Thread Brittany Randall via Servercert-wg 
GoDaddy votes yes to ballot SC-073

Best,

Brittany

From: Servercert-wg  on behalf of Wayne 
Thayer via Servercert-wg 
Sent: Thursday, April 25, 2024 5:00 PM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys

Caution: This email is from an external sender. Please do not click links or 
open attachments unless you recognize the sender and know the content is safe. 
Forward suspicious emails to isitbad@.



Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).

  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.

  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html

  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.


The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC

  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC

  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

2024-04-26 Thread Wayne Thayer via Servercert-wg 
Fastly votes Yes to ballot SC-073.

- Wayne

On Thu, Apr 25, 2024 at 5:00 PM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:

> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted TLS Server Certificates related to weak
> and compromised private keys. These changes lie primarily in Section
> 6.1.1.3:
>
>-
>
>6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
>shall be made aware of compromised keys using their existing notification
>mechanism(s).
>-
>
>6.1.1.3(5) improves guidance for CAs around the detection of weak
>keys. Should this ballot pass, these changes become effective on November
>15, 2024.
>
> Notes:
>
>-
>
>This ballot builds on the extensive work done by SSL.com in creating
>ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
>-
>
>Thanks to Rob Stradling of Sectigo for the generation and publication
>of the set of Debian weak keys referenced in this ballot.
>-
>
>The Debian weak keys requirements have been discussed extensively,
>including in the following threads:
>https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
>and
>https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
>
>-
>
>This ballot does not appear to conflict with any other ballots that
>are currently under discussion.
>
>
> The following motion has been proposed by Wayne Thayer of Fastly, and
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.3.
>
> MODIFY the Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates as specified in the following
> Redline:
>
> Here is a link to the immutable GitHub redline:
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>-
>
>Start time: 2024-04-18 00:00:00 UTC
>-
>
>End time: 2024-04-26 00:00:00 UTC
>
> Vote for approval (7 days)
>
>-
>
>Start time: 2024-04-26 00:00:00 UTC
>- End time: 2024-05-03 00:00:00 UTC
>
> ___
> Servercert-wg mailing list
> Servercert-wg@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

2024-04-26 Thread Kateryna Aleksieieva via Servercert-wg 
Certum votes "Yes" to Ballot SC-073


Best regards,

Kateryna Aleksieieva


Od: Servercert-wg  w imieniu użytkownika 
Wayne Thayer via Servercert-wg 
Wysłane: piątek, 26 kwietnia 2024 02:00
Do: CA/B Forum Server Certificate WG Public Discussion List 

Temat: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).

  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.

  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html

  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.


The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC

  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC

  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

[Servercert-wg] Final minutes of the SCWG call of April 11th

2024-04-26 Thread Inigo Barreira via Servercert-wg 
These are the Final Minutes of the Teleconference described in the subject
of this message.



 

 

Dimitris is leading the call at Inigo's request due to a medical
appointment. Note-well read before Roll-call (but preserved normal order for
the minutes structure here).

1. Roll Call

Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Abhishek Bhat
(eMudhra), Adam Jones (Microsoft), Adriano Santoni (Actalis), Aggie Wang
(TrustAsia), Alvin Wang (SHECA), Andrea Holland (VikingCloud), Brianca
Martin (Amazon), Bruce Morton (Entrust), Chris Clements (Google), Ben Wilson
(Mozilla), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen
(OATI), David Kluge (Google), Dimitris Zacharopoulos (HARICA), Doug Beattie
(GlobalSign), Dustin Hollenback (Microsoft), Gregory Tomko (GlobalSign),
Inaba Atsushi (GlobalSign), Janet Hines (VikingCloud), Jaime Hablutzel
(OISTE Foundation), Jay Wilson (Sectigo), Johnny Reading (GoDaddy), Jos
Purvis (Fastly), Karina Sirota (Microsoft), Keshava Nagaraju (eMudhra),
Kiran Tummala (Microsoft), Llewellyn Curran (GoDaddy), Lynn Jeun (Visa),
Mads Henriksveen (Buypass AS), Mahua Chaudhuri (Microsoft), Marcelo Silva
(Visa), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Michelle
Coon (OATI), Miguel Sanchez (Google), Mrugesh Chandarana (IdenTrust), Nargis
Mannan (VikingCloud), Nate Smith (GoDaddy), Naveen Kumar (eMudhra), Paul van
Brouwershaven (Entrust), Peter Miskovic (Disig), Rich Kapushinski
(CommScope), Rich Smith (DigiCert), Rollin Yu (TrustAsia), Ryan Dickson
(Google Chrome), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sissel Hoel
(Buypass), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems),
Tathan Thacker (IdenTrust), Tim Hollebeek (DigiCert), Thomas Zermeno
(SSL.com), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly),
Yashwanth TM (eMudhra), Yoshihiko Matsuo (Japan Registry Services).

2. Read note-well

The note-well was read by Dimitris.

3. Review of Agenda

The Agenda as provided by Inigo was followed for the call.

4. Minutes

a.  Approval of minutes from the February 15, 2024 Teleconference
(minutes have been distributed just prior to the call)

*   The minutes approval is delayed until next meeting due to their very
recent posting.

b.  Approval of minutes from the March 28, 2024 Teleconference (minutes
have NOT yet been distributed)

*   The minutes approval is deferred until after posting.

.

5. Membership

*   No current Applications to review.

6. Issues/Topics

*   Revocation is topic listed for today, Kiran is invited to comment,
but is having audio issues. 

Dimitris had previously prepared a spreadsheet of some revocation reasons
that were under consideration to extend period to more than 5 days with
appropriate justification.

Clint indicated that a draft document had been prepared and circulated to a
small group of folks to review ReasonCode and timelines and some discussion
had ensued but it's not yet ready for main stream.

*   PAG - Discussion on where it should be instatiated. It was agreed it
should be handled in the WG where it arose, which is here. Decision to cover
it after Ballot Review on today's call.

7. Ballots update

Review of the current ballots situation as per the agenda.

CURRENT STATUS OF BALLOTS 

*   Passed

*   SC72: Delete exception to policyQualifiers in EVGs; align with BRs
by making them NOT RECOMMENDED. 

*   Under PAG

*   SC70: Clarify the use of DTPs for Domain Control Validation 

*   This Ballot was rescinded.

*   Failed

*   None

*   Voting Period

*   None

*   Discussion Period

*   SC67 v1: Require domain validation and CAA checks to be performed
from multiple Network Perspectives. Ends on 17/4/24.

*   Ryan indicated that they are adjudicating comments in GitHub and
anticipate a 2nd round of discussions
*   Dimitris highlighted interesting discussion surrounding use of VPNs
for MPIC which is worth reviewing by the group. Also, on the security
question, there should perhaps be some discussion regarding security
controls required for the VPN usage
*   Ryan - there is no intention of limiting the usage of VPN for this
aspect

*   SCXX - Compromised/weak keys

*   This item was categorized incorrectly in the Agenda as it is
currently pre-ballot and thus it was discussed here instead.
*   Wayne confirmed it is pre-Ballot still and indicated there has been
some discussion on whether to provide a list of resources or let CA's manage
their own. Wayne indicated he was leaning more to leaving up to the CA
responsibility, but still looking for feedback. Expectation is that weak key
check should be made regardless of key size as requested by Clint.
*   Tim was ambivalent on Clint's request. Suggested we just pick a
reasonable proposal and proceed. 
*   Dimitris indicated that during the early versions of the ballot, the
WG had tried to describe the set of parameters that each CA needs

[Servercert-wg] Final minutes SCWG call March 28th

2024-04-26 Thread Inigo Barreira via Servercert-wg 
These are the Final Minutes of the Teleconference described in the subject
of this message.



Server Certificate Working Group - 28 March 2024


1.Roll Call


Aaron Gable - (ISRG), Aaron Poulsen - (Amazon), Abhishek Bhat - (eMudhra),
Adam Jones - (Microsoft), Adrian Mueller - (SwissSign), Alvin Wang -
(SHECA), Andreas Henschel - (D-Trust), Adriano Santoni (Actalis), Antti
Backman - (Telia Company), Atsushi Inaba - (GlobalSign), Ben Wilson -
(Mozilla), Brianca Martin - (Amazon), Bruce Morton - (Entrust), Clint Wilson
- (Apple), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI), Dean Coclin
- (DigiCert), Dong Wha Shin - (MOIS), Jaime Hablutzel - (OISTE Foundation),
Jay Wilson - (Sectigo), Johnny Reading - (GoDaddy), Jos Purvis - (Fastly),
Karina Sirota - (Microsoft), Keshava Nagaraju - (eMudhra), Klran Tummala -
(Microsoft), Luis Cervantes - (GoDaddy), Lynn Jeun - (VisaMarco Schambach -
(IdenTrust), Martijn Katerbarg - (Sectigo), Michelle Coon - (OATI), Michael
Slaughter - (Amazon), Miguel Sanchez - (Google), Nargis Mannan -
(VikingCloud), Nate Smith - (GoDaddy), Naveen Kumar - (eMudhra), Nicol So -
(CommScope), Nome Huang - (TrustAsia), Paul Van Brouwershaven - (Entrust),
Rich Kapushinski - (CommScope), Rich Smith - (DigiCert), Sandy Balzer -
(SwissSign), Scott Rea - (eMudhra), Stephen Davidson - (DigiCert), Tathan
Thacker - (IdenTrust), Thomas Zermeno - (SSL.com), Trevoli Ponds-White -
(Amazon), Wayne Thayer - (Fastly), Wendy Brown - (US Federal PKI Management
Authority), Yashwanth TM - (eMudhra), Yoshihiko Matsuo - (Japan Registry
Services).

2. Read note-well

The note-well was read by Paul.

3. Minutes

a) Minutes from the February 15, 2024 Teleconference

- The minutes has not been circulated yet. 

b) Minutes from the February 27, 2024 F2F meeting(minutes were distributed
2024-03-06)

- The minutes were approved.

c) Minutes from the March 14, 2024 Teleconference (minutes were distributed
2024-03-15)

- The minute were approved. 

4. Issued/Topics to discuss

a) Ballot SC70: Clarify the use of DTPs for Domain Control Validation

- During the review period one member has files an exclusion notice
according to Article 2.4, and the results of the initial vote are rescinded
and deemed null and void. 

- Ben Wilson started the process of forming a patent advisory group and he
is collecting names and email addresses of those interested in
participating.  

- The membership criteria for the Patent Advisory Group (PAG) is unclear,
specifically in relation to sections 7.1 and 7.2 of the IPR policy. Aaron
said PAG in section 7.2 of IPR Policy doesn't have an entry for the
exclusion notice, and we should revise the IPR Policy. 

- There was discussion about clarifying the use of domain validation and the
need for GoDaddy's involvement in understanding the exact patent claims.

- Theres was a discussion about time limits for filing exclusion notices and
how it interacts with membership periods. Nicol raises a question about the
clarification of substantive requirements and its interaction with the time
window for filing exclusion notices. Ben acknowledges the point and suggests
further examination of the situation. Aaron highlighted a concern about
unclear interactions between exclusion notices and existing guidelines.

b) SC72 voting period ends on April 1st, 24.

- There was a discussion about whether votes on the discussion period should
be considered valid, with some members suggesting that as long as the vote
is clear and during the voting period, it should be accepted.

c) SC67 discussion period ends April 17th, 24. 

- No comments

d) Review Period - Compromised/weak keys

- There was a suggestion to remove language regarding Debian weak keys and
have a third party submit all weak keys to certificate problem reporting
addresses.

- Wayne said he will change current requirement, add the additional weak key
requirements and move forward as a ballot.

e) Draft / Under Consideration

*   SCXX - Profiles cleanup ballot - on hold
*   SC71 - Subscriber agreement and terms of use consolidation 
*   SCXX - Measure all hours and days to the second - on hold
*   SC73 - Introduce linting in the TLS BRs
*   SC74 - Clarify CP/CPS structure according to RFC 3647

5.Next call: 11 April

6.Adjourn

 



smime.p7s
Description: S/MIME cryptographic signature
___
Management mailing list
managem...@cabforum.org
https://lists.cabforum.org/mailman/listinfo/management


smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

[Servercert-wg] Final minutes of the SCWG meeting on Feb 15th of 2024

2024-04-26 Thread Inigo Barreira via Servercert-wg 
These are the Final Minutes of the Teleconference described in the subject
of this message, prepared by Iñigo Barreira (Sectigo).





1. Roll Call


Aaron Gable - (Let's Encrypt), Aaron Poulsen - (Amazon), Abhishek Bhat -
(eMudhra), Adam Jones - (Microsoft), Adrian Mueller - (SwissSign), Antti
Backman - (Telia Company), Brianca Martin - (Amazon), Brittany Randall -
(GoDaddy), Bruce Morton - (Entrust), Chris Clements - (Google), Clint Wilson
- (Apple), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI), David Kluge
- (Google), Dean Coclin - (DigiCert), Dimitris Zacharopoulos - (HARICA),
Doug Beattie - (GlobalSign), Dustin Hollenback - (Microsoft), Enrico
Entschew - (D-TRUST), Eva Vansteenberge - (GlobalSign), Gregory Tomko -
(GlobalSign), Inaba Atsushi - (GlobalSign), Inigo Barreira - (Sectigo),
Jaime Hablutzel - (OISTE Foundation), Johnny Reading - (GoDaddy), Jos Purvis
- (Fastly), Karina Sirota - (Microsoft), Keshava Nagaraju - (eMudhra), Kiran
Tummala - (Microsoft), Lynn Jeun - (Visa), Mads Henriksveen - (Buypass AS),
Marcelo Silva - (Visa), Marco Schambach - (IdenTrust), Mark Nelson -
(IdenTrust), Martijn Katerbarg - (Sectigo), Michelle Coon - (OATI), Miguel
Sanchez - (Google), Mrugesh Chandarana - (IdenTrust), Nargis Mannan -
(VikingCloud), Nate Smith - (GoDaddy), Nicol So - (CommScope), Pedro Fuentes
- (OISTE Foundation), Peter Miskovic - (Disig), Rebecca Kelley - (Apple),
RIch Smith - (DigiCert), Rollin Yu - (TrustAsia), Roman Fischer -
(SwissSign), Sandy Balzer - (SwissSign), Stephen Davidson - (DigiCert),
Tadahiko Ito - (SECOM Trust Systems), Tathan Thacker - (IdenTrust), Thomas
Zermeno - (SSL.com), Tobias Josefowitz - (Opera Software AS), Trevoli
Ponds-White - (Amazon), Tsung-Min Kuo - (Chunghwa Telecom), Wayne Thayer -
(Fastly), Wendy Brown - (US Federal PKI Management Authority), Yashwanth TM
- (eMudhra), Yoshihiko Matsuo - (Japan Registry Services).


2. Read note-well


The note-well was read.


3. Review of Agenda


The Agenda was approved.


4. Approval of minutes from the January 4, 2024 Teleconference (minutes have
been distributed)


The minutes were approved.


5. Approval of minutes from the February 1, 2024 Teleconference (minutes
have been distributed)


The minutes were approved.


6. Membership


*   Sun ShengNan: accepted as interested party. 
*   Dong Yul Lee: accepted as interested party.
*   Identrust: accepted as full member. 
*   MOIS (Ministry Of Interior and Safety) of Korea: accepted as
probationary member for 6 months before becoming full member.


7. Topics


GitHub open issues and F2F agenda


8. GitHub open issues


Iñigo

*   About 100 open issues in GitHub.
*   Some remain open for more than 4 years.
*   Some are open from people that do not attend/belong to the CABF
anymore.
*   Some opened at some point but haven´t been updated since.
*   The clean-up ballot will reduce this number to seventy-something but
will grow again.
*   GitHub usually publish the newest ones in the first page and maybe
none pays attention to the latest pages (like the test keys, initially
caught attention but then moved backwards and only discussed again when put
in the agenda).
*   Need to define a procedure on how to deal with this number..

Trev

*   The main issue is that they are not self-contained, most of them.
Just don´t know what happened at that time and why. They don´t have the full
story of the issue.
*   We could benefit from putting together like a set of required fields
for putting in these issues and when checking old ones be able to answer a
basic set of questions. And if we can´t, just close those old ones.

Clint

*   Agreed with what Trev said but from my point of view I don´t see
this number as an issue. These issues remaining open is kind of a backlog of
identified issues, and maybe those were incorporated in other ballots but
not removed from there but addressed in some way.
*   But it's also often useful in, in these types of issues to talk
about a proposed solution so that you're coming back to it. You're not just
seeing the problem you're sort of seeing what someone else was thinking or
what the group was thinking about how you could go about addressing it. To
what the problem even means and, and the person's mind that opened it and so
something like a, a template of, of information that should be included in
the issue. Description seems like a, a pretty, you know, solid idea.

Iñigo

*   I don't think having a specific number or, or being created like
four years ago, it's a problem. It might concern if, after four years we
haven't dealt with this open issues and, and I don't know if this is because
there are so many that someone forgot about it, or any other concern, so
it's not just the number. Not just the day, it's just, it's both, so it's
just, it's work created a long time ago. Hasn't been updated and then I
don't know if it's still valid or not.
*   Also like what Trev proposed, a kind of

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

2024-04-26 Thread Ben Wilson via Servercert-wg 
Mozilla votes "yes".

On Fri, Apr 26, 2024 at 2:00 AM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:

> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted TLS Server Certificates related to weak
> and compromised private keys. These changes lie primarily in Section
> 6.1.1.3:
>
>-
>
>6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
>shall be made aware of compromised keys using their existing notification
>mechanism(s).
>-
>
>6.1.1.3(5) improves guidance for CAs around the detection of weak
>keys. Should this ballot pass, these changes become effective on November
>15, 2024.
>
> Notes:
>
>-
>
>This ballot builds on the extensive work done by SSL.com in creating
>ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
>-
>
>Thanks to Rob Stradling of Sectigo for the generation and publication
>of the set of Debian weak keys referenced in this ballot.
>-
>
>The Debian weak keys requirements have been discussed extensively,
>including in the following threads:
>https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
>and
>https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
>
>-
>
>This ballot does not appear to conflict with any other ballots that
>are currently under discussion.
>
>
> The following motion has been proposed by Wayne Thayer of Fastly, and
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.3.
>
> MODIFY the Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates as specified in the following
> Redline:
>
> Here is a link to the immutable GitHub redline:
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>-
>
>Start time: 2024-04-18 00:00:00 UTC
>-
>
>End time: 2024-04-26 00:00:00 UTC
>
> Vote for approval (7 days)
>
>-
>
>Start time: 2024-04-26 00:00:00 UTC
>- End time: 2024-05-03 00:00:00 UTC
>
> ___
> Servercert-wg mailing list
> Servercert-wg@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg