Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Inigo Barreira via Servercert-wg]

Hi,

 

Would like to know who voted on behalf of CFCA, can you provide? I can´t find 
this name on the list.

 

Regards

 

De: Servercert-wg  En nombre de ??? via 
Servercert-wg
Enviado el: domingo, 28 de abril de 2024 11:24
Para: CA/B Forum Server Certificate WG Public Discussion List 

Asunto: Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised 
and Weak Keys

 

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

 

CFCA votes "yes".





-原始邮件-
发件人: "Wayne Thayer via Servercert-wg" mailto:servercert-wg@cabforum.org> >
发送时间: 2024-04-26 08:00:26 (星期五)
收件人: "CA/B Forum Server Certificate WG Public Discussion List" 
mailto:servercert-wg@cabforum.org> >
主题: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak 
Keys

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3 
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F6.1.1.3%2F=05%7C02%7Cinigo.barreira%40sectigo.com%7C6557f42327d54e71b50d08dc6764ee0c%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638498930400424129%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=%2B5LNo%2FCaCOkUyiiX%2B5zB8Uzhqs2SLo1Wqyq6djmB8gg%3D=0>
 :

*   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs 
shall be made aware of compromised keys using their existing notification 
mechanism(s).
*   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

*   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
*   Thanks to Rob Stradling of Sectigo for the generation and publication 
of the set of Debian weak keys referenced in this ballot.
*   The Debian weak keys requirements have been discussed extensively, 
including in the following threads:  
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2024-March%2F004291.html=05%7C02%7Cinigo.barreira%40sectigo.com%7C6557f42327d54e71b50d08dc6764ee0c%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638498930400435454%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=Sboclo8yfSdE%2Bb4EBG0eQ6aLLXjt5sGvaiqoWuiQBKc%3D=0>
 https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and  
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2024-April%2F004422.html=05%7C02%7Cinigo.barreira%40sectigo.com%7C6557f42327d54e71b50d08dc6764ee0c%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638498930400443529%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=18x%2BF2rFQUdPfm5h4L7bQ8eckpIIPw%2Fp1zMUUUK5yKo%3D=0>
 https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
*   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

*   Start time: 2024-04-18 00:00:00 UTC
*   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*   Start time: 2024-04-26 00:00:00 UTC
*   End time: 2024-05-03 00:00:00 UTC

 



smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Inigo Barreira via Servercert-wg]

Hi Tsung-Min,



Unfortunately, this vote can´t be counted because has been received past
the end date.



Regards



De: Servercert-wg  En nombre de ??? via
Servercert-wg
Enviado el: viernes, 3 de mayo de 2024 3:45
Para: CA/B Forum Server Certificate WG Public Discussion List

Asunto: Re: [Servercert-wg] Voting Period Begins - Ballot SC-073:
Compromised and Weak Keys



CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.



Chunghwa Telecom votes ‘no’ on Ballot SC-073.



Tsung-Min Kuo



From: Servercert-wg mailto:servercert-wg-boun...@cabforum.org> > On Behalf Of Wayne Thayer via
Servercert-wg
Sent: Friday, April 26, 2024 2:00 AM
To: CA/B Forum Server Certificate WG Public Discussion List
mailto:servercert-wg@cabforum.org> >
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised
and Weak Keys



Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates related to weak
and compromised private keys. These changes lie primarily in Section 6.1.1.3
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F6.1.1.3%2F
=05%7C02%7Cinigo.barreira%40sectigo.com%7Ca7c4fd83aa94478189c608dc6b12b
580%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638502975313269287%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C0%7C%7C%7C=XsHguBpbFzTu1KX7GDl9vh4Cz8WTzSRomCzAPvh4KwA%3D
erved=0> :

*   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
shall be made aware of compromised keys using their existing notification
mechanism(s).
*   6.1.1.3(5) improves guidance for CAs around the detection of weak
keys. Should this ballot pass, these changes become effective on November
15, 2024.

Notes:

*   This ballot builds on the extensive work done by SSL.com in creating
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
*   Thanks to Rob Stradling of Sectigo for the generation and
publication of the set of Debian weak keys referenced in this ballot.
*   The Debian weak keys requirements have been discussed extensively,
including in the following threads:
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-March%2F004291.html=05%7C0
2%7Cinigo.barreira%40sectigo.com%7Ca7c4fd83aa94478189c608dc6b12b580%7C0e9c48
946caa465d96604b6968b49fb7%7C0%7C0%7C638502975313281535%7CUnknown%7CTWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
C%7C%7C=kuaRbNhWpVAuQPa4xzdso6W9vYTO1WkXiYoDM7Kp%2BRY%3D=0>
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
and
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-April%2F004422.html=05%7C0
2%7Cinigo.barreira%40sectigo.com%7Ca7c4fd83aa94478189c608dc6b12b580%7C0e9c48
946caa465d96604b6968b49fb7%7C0%7C0%7C638502975313290247%7CUnknown%7CTWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
C%7C%7C=Yx6buWDf7d2U%2FLNpKUah9SBqKasSXxW9xPQS0fZL9MU%3D=0>
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
*   This ballot does not appear to conflict with any other ballots that
are currently under discussion.



The following motion has been proposed by Wayne Thayer of Fastly, and
endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

- Motion Begins -

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
based on Version 2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates as specified in the following
Redline:

Here is a link to the immutable GitHub redline:
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807
c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

- Motion Ends -

This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:

Discussion (7+ days)

*   Start time: 2024-04-18 00:00:00 UTC
*   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*   Start time: 2024-04-26 00:00:00 UTC
*   End time: 2024-05-03 00:00:00 UTC







smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[郭宗閔 via Servercert-wg]

Chunghwa Telecom votes ‘no’ on Ballot SC-073. 

 

Tsung-Min Kuo 

 

From: Servercert-wg mailto:servercert-wg-boun...@cabforum.org> > On Behalf Of Wayne Thayer via
Servercert-wg
Sent: Friday, April 26, 2024 2:00 AM
To: CA/B Forum Server Certificate WG Public Discussion List
mailto:servercert-wg@cabforum.org> >
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised
and Weak Keys

 

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates related to weak
and compromised private keys. These changes lie primarily in Section 6.1.1.3
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2F6.1.1.3%2F
=05%7C02%7Ctmkuo%40cht.com.tw%7C5a8a789bca98401a438c08dc6a7e9041%7C54eb
9440cf0345fe835e61bd4ce515c8%7C0%7C0%7C638502339031475174%7CUnknown%7CTWFpbG
Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0
%7C%7C%7C=G4qU8iQWwf6HT4Gv4m%2FSxA3CBxTj56Lh%2Fxz1ycKUGY4%3D=
0> :

*   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
shall be made aware of compromised keys using their existing notification
mechanism(s).
*   6.1.1.3(5) improves guidance for CAs around the detection of weak
keys. Should this ballot pass, these changes become effective on November
15, 2024.

Notes:

*   This ballot builds on the extensive work done by SSL.com in creating
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
*   Thanks to Rob Stradling of Sectigo for the generation and
publication of the set of Debian weak keys referenced in this ballot.
*   The Debian weak keys requirements have been discussed extensively,
including in the following threads:
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-March%2F004291.html=05%7C0
2%7Ctmkuo%40cht.com.tw%7C5a8a789bca98401a438c08dc6a7e9041%7C54eb9440cf0345fe
835e61bd4ce515c8%7C0%7C0%7C638502339031483002%7CUnknown%7CTWFpbGZsb3d8eyJWIj
oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
ata=O7eVqc%2Bz%2B4FXrDdN8uck2aG1UCGw2b3HnY41hX3aIHE%3D=0>
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
and
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-April%2F004422.html=05%7C0
2%7Ctmkuo%40cht.com.tw%7C5a8a789bca98401a438c08dc6a7e9041%7C54eb9440cf0345fe
835e61bd4ce515c8%7C0%7C0%7C638502339031487142%7CUnknown%7CTWFpbGZsb3d8eyJWIj
oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C
ata=2gJxRk7LtsfVOGSH%2FcnTMBTaN8Nx%2B%2BCxzlFJaayGMEA%3D=0>
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
*   This ballot does not appear to conflict with any other ballots that
are currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and
endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
based on Version 2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates as specified in the following
Redline:

Here is a link to the immutable GitHub redline:
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fcompare%2Fa65402cff89affe1fc0a1f0e49807c7e42e160
8a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0=05%7C02%7Ctmkuo%40cht.com
.tw%7C5a8a789bca98401a438c08dc6a7e9041%7C54eb9440cf0345fe835e61bd4ce515c8%7C
0%7C0%7C638502339031491221%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI
joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=3jSsBVkrV%2FKKV
H34XMbxit41SVwq3%2BZjNVg%2BXgTJyx8%3D=0>
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807
c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0 

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:

Discussion (7+ days)

*   Start time: 2024-04-18 00:00:00 UTC
*   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*   Start time: 2024-04-26 00:00:00 UTC
*   End time: 2024-05-03 00:00:00 UTC



 



smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Entschew, Enrico via Servercert-wg]

D-Trust votes „YES“ on SC-073.

 

Thanks,

Enrico

 

Von: Servercert-wg  Im Auftrag von Wayne 
Thayer via Servercert-wg
Gesendet: Friday, April 26, 2024 2:00 AM
An: CA/B Forum Server Certificate WG Public Discussion List 

Betreff: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys

 

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3 
<http://6.1.1.3> :

·   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs 
shall be made aware of compromised keys using their existing notification 
mechanism(s).

·   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

·   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

·   Thanks to Rob Stradling of Sectigo for the generation and publication 
of the set of Debian weak keys referenced in this ballot.

·   The Debian weak keys requirements have been discussed extensively, 
including in the following threads:  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 

·   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline:  
<https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0>
 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

·   Start time: 2024-04-18 00:00:00 UTC

·   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

·   Start time: 2024-04-26 00:00:00 UTC

*   End time: 2024-05-03 00:00:00 UTC

--- Begin Message ---
D-Trust votes „YES“ on SC-073.

 

Thanks,

Enrico

 

Von: Servercert-wg  Im Auftrag von Wayne 
Thayer via Servercert-wg
Gesendet: Friday, April 26, 2024 2:00 AM
An: CA/B Forum Server Certificate WG Public Discussion List 

Betreff: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys

 

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3 
<http://6.1.1.3> :

·   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs 
shall be made aware of compromised keys using their existing notification 
mechanism(s).

·   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

·   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

·   Thanks to Rob Stradling of Sectigo for the generation and publication 
of the set of Debian weak keys referenced in this ballot.

·   The Debian weak keys requirements have been discussed extensively, 
including in the following threads:  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 

·   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Cert

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Michael Guenther via Servercert-wg]

SwissSign votes 'yes' on Ballot SC-073

Mike

From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Friday, April 26, 2024 2:00 AM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3<http://6.1.1.3/>:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).
  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com's contributions are appreciated.
  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.
  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.



The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

- Motion Begins -

This ballot modifies the "Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates" ("Baseline Requirements"), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

- Motion Ends -

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC
  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC
  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[大野 文彰 via Servercert-wg]

SECOM Trust Systems votes YES on Ballot SC-073.

Best Regards,

ONO, Fumiaki
SECOM Trust Systems Co., Ltd.

From: Servercert-wg [mailto:servercert-wg-boun...@cabforum.org] On Behalf Of 
Wayne Thayer via Servercert-wg
Sent: Friday, April 26, 2024 9:00 AM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3<http://6.1.1.3>:

· 6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs 
shall be made aware of compromised keys using their existing notification 
mechanism(s).

· 6.1.1.3(5) improves guidance for CAs around the detection of weak 
keys. Should this ballot pass, these changes become effective on November 15, 
2024.

Notes:

· This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

· Thanks to Rob Stradling of Sectigo for the generation and publication 
of the set of Debian weak keys referenced in this ballot.

· The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html

· This ballot does not appear to conflict with any other ballots that 
are currently under discussion.



The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

· Start time: 2024-04-18 00:00:00 UTC

· End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

· Start time: 2024-04-26 00:00:00 UTC

  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Yoshihiko Matsuo via Servercert-wg]

JPRS votes YES to Ballot SC-073

Yoshihiko Matsuo

On 2024/04/26 9:00, Wayne Thayer via Servercert-wg wrote:

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3 
:

  *

6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).

  *

6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *

This ballot builds on the extensive work done by SSL.com in creating ballot 
SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

  *

Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.

  *

The Debian weak keys requirements have been discussed extensively, including in the 
following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html 
and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 


  *

This ballot does not appear to conflict with any other ballots that are 
currently under discussion.


The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 


— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *

Start time: 2024-04-18 00:00:00 UTC

  *

End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *

Start time: 2024-04-26 00:00:00 UTC

  * End time: 2024-05-03 00:00:00 UTC


___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Andrea Holland via Servercert-wg]

VikingCloud votes yes on SC-073.

Regards,
Andrea Holland


From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Thursday, April 25, 2024 8:00 PM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys


Caution: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3<http://6.1.1.3>:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).
  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.
  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.



The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC
  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC
  *   End time: 2024-05-03 00:00:00 UTC





Company Registration Details
VikingCloud is the registered business name of Sysxnet Limited. Sysxnet Limited 
is registered in Ireland under company registration number 147176 and its 
registered office is at 1st Floor, Block 71a, The Plaza, Park West Business 
Park, Dublin 12, Ireland.

Email Disclaimer
The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. If 
you are not the intended recipient you are hereby notified that any disclosure, 
copying, distribution or taking any action in reliance on the contents of this 
information is strictly prohibited and may be unlawful. If you have received 
this communication in error, please notify us immediately by responding to this 
email and then delete it from your system. Sysxnet Limited is neither liable 
for the proper and complete transmission of the information contained in this 
communication nor for any delay in its receipt..
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[So, Nicol via Servercert-wg]

CommScope votes “yes” to Ballot SC-073.

From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Thursday, April 25, 2024 8:00 PM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys

Purpose of Ballot SC-073 This ballot proposes updates to the Baseline 
Requirements for the Issuance and Management of Publicly-Trusted TLS Server 
Certificates related to weak and compromised private k
Caution: External 
(servercert-wg@cabforum.org<mailto:servercert-wg@cabforum.org>)
Misleading Reply-To   
Details<https://protection.inkyphishfence.com/details?id=Y29tbXNjb3BlL25pY29sLnNvQGNvbW1zY29wZS5jb20vYTI1NTdjMzQ3ZTk3ZDc4ODA1ODE5NTZjMjdmNjFiYWMvMTcxNDE0MDMzNy40NA==#key=1dd5c15bb159867b99bd1b4930aa738a>
  Report This 
Email<https://protection.inkyphishfence.com/report?id=Y29tbXNjb3BlL25pY29sLnNvQGNvbW1zY29wZS5jb20vYTI1NTdjMzQ3ZTk3ZDc4ODA1ODE5NTZjMjdmNjFiYWMvMTcxNDE0MDMzNy40NA==#key=1dd5c15bb159867b99bd1b4930aa738a>
  FAQ<https://www.inky.com/banner-faq>  Protection by 
INKY<https://www.inky.com/protection-by-inky>


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3<http://6.1.1.3>:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).
  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com<http://SSL.com> 
in creating ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are 
appreciated.
  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.
  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.



The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC
  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC
  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Rollin.Yu via Servercert-wg]

TrustAsia votes YES on Ballot SC-073.

Best regards,
Rollin Yu





> On Apr 26, 2024, at 08:00, Wayne Thayer via Servercert-wg 
>  wrote:
> 
> Purpose of Ballot SC-073
> This ballot proposes updates to the Baseline Requirements for the Issuance 
> and Management of Publicly-Trusted TLS Server Certificates related to weak 
> and compromised private keys. These changes lie primarily in Section 6.1.1.3 
> :
> 
> 6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall be 
> made aware of compromised keys using their existing notification mechanism(s).
> 6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
> Should this ballot pass, these changes become effective on November 15, 2024.
> 
> Notes:
> 
> This ballot builds on the extensive work done by SSL.com in creating ballot 
> SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
> Thanks to Rob Stradling of Sectigo for the generation and publication of the 
> set of Debian weak keys referenced in this ballot.
> The Debian weak keys requirements have been discussed extensively, including 
> in the following threads: 
> https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
> https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
> This ballot does not appear to conflict with any other ballots that are 
> currently under discussion.
> 
> 
> The following motion has been proposed by Wayne Thayer of Fastly, and 
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
> — Motion Begins —
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based 
> on Version 2.0.3.
> MODIFY the Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted TLS Server Certificates as specified in the following 
> Redline:
> Here is a link to the immutable GitHub redline: 
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
>  
> — Motion Ends —
> This ballot proposes a Final Maintenance Guideline. The procedure for 
> approval of this ballot is as follows:
> Discussion (7+ days)
> 
> Start time: 2024-04-18 00:00:00 UTC
> End time: 2024-04-26 00:00:00 UTC
> Vote for approval (7 days)
> 
> Start time: 2024-04-26 00:00:00 UTC
> End time: 2024-05-03 00:00:00 UTC
> ___
> Servercert-wg mailing list
> Servercert-wg@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg



smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Doug Beattie via Servercert-wg]

GlobalSign votes yes on Ballot SC-073.

 

Doug

 

From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Thursday, April 25, 2024 8:00 PM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys

 

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3 
<http://6.1.1.3> :

*   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs 
shall be made aware of compromised keys using their existing notification 
mechanism(s).
*   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

*   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
*   Thanks to Rob Stradling of Sectigo for the generation and publication 
of the set of Debian weak keys referenced in this ballot.
*   The Debian weak keys requirements have been discussed extensively, 
including in the following threads:  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
*   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline:  
<https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0>
 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

*   Start time: 2024-04-18 00:00:00 UTC
*   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*   Start time: 2024-04-26 00:00:00 UTC
*   End time: 2024-05-03 00:00:00 UTC



smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Aaron Gable via Servercert-wg]

Let's Encrypt / ISRG votes Yes on SC-073.

On Thu, Apr 25, 2024 at 5:00 PM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:

> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted TLS Server Certificates related to weak
> and compromised private keys. These changes lie primarily in Section
> 6.1.1.3:
>
>-
>
>6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
>shall be made aware of compromised keys using their existing notification
>mechanism(s).
>-
>
>6.1.1.3(5) improves guidance for CAs around the detection of weak
>keys. Should this ballot pass, these changes become effective on November
>15, 2024.
>
> Notes:
>
>-
>
>This ballot builds on the extensive work done by SSL.com in creating
>ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
>-
>
>Thanks to Rob Stradling of Sectigo for the generation and publication
>of the set of Debian weak keys referenced in this ballot.
>-
>
>The Debian weak keys requirements have been discussed extensively,
>including in the following threads:
>https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
>and
>https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
>
>-
>
>This ballot does not appear to conflict with any other ballots that
>are currently under discussion.
>
>
> The following motion has been proposed by Wayne Thayer of Fastly, and
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.3.
>
> MODIFY the Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates as specified in the following
> Redline:
>
> Here is a link to the immutable GitHub redline:
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>-
>
>Start time: 2024-04-18 00:00:00 UTC
>-
>
>End time: 2024-04-26 00:00:00 UTC
>
> Vote for approval (7 days)
>
>-
>
>Start time: 2024-04-26 00:00:00 UTC
>- End time: 2024-05-03 00:00:00 UTC
>
> ___
> Servercert-wg mailing list
> Servercert-wg@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Inigo Barreira via Servercert-wg]

Sectigo votes yes

 

De: Servercert-wg  En nombre de Wayne
Thayer via Servercert-wg
Enviado el: viernes, 26 de abril de 2024 2:00
Para: CA/B Forum Server Certificate WG Public Discussion List

Asunto: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised
and Weak Keys

 

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

 

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates related to weak
and compromised private keys. These changes lie primarily in Section 6.1.1.3
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F6.1.1.3%2F
=05%7C02%7Cinigo.barreira%40sectigo.com%7Cc1aa184abc614ad62fd208dc6583d
f46%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638496864275225389%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C0%7C%7C%7C=MeQwMDcdeeDLJBE7EfU%2BoPDlbD7NsCGEaFUKBIp4HnQ%3D
eserved=0> :

*   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
shall be made aware of compromised keys using their existing notification
mechanism(s).
*   6.1.1.3(5) improves guidance for CAs around the detection of weak
keys. Should this ballot pass, these changes become effective on November
15, 2024.

Notes:

*   This ballot builds on the extensive work done by SSL.com in creating
ballot SC-59v2 Weak Key Guidance. SSL.com's contributions are appreciated.
*   Thanks to Rob Stradling of Sectigo for the generation and
publication of the set of Debian weak keys referenced in this ballot.
*   The Debian weak keys requirements have been discussed extensively,
including in the following threads:
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-March%2F004291.html=05%7C0
2%7Cinigo.barreira%40sectigo.com%7Cc1aa184abc614ad62fd208dc6583df46%7C0e9c48
946caa465d96604b6968b49fb7%7C0%7C0%7C638496864275234119%7CUnknown%7CTWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
C%7C%7C=5BQuIofQNsImkhOfD0UYjVMbcFRkx0CYF07hq33sHoI%3D=0>
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
and
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fpipermail%2Fservercert-wg%2F2024-April%2F004422.html=05%7C0
2%7Cinigo.barreira%40sectigo.com%7Cc1aa184abc614ad62fd208dc6583df46%7C0e9c48
946caa465d96604b6968b49fb7%7C0%7C0%7C638496864275239982%7CUnknown%7CTWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7
C%7C%7C=bw5BAzYZaRnLXcTE%2FTX%2F1hMiK%2BUOfTwzWTKlP9bbFuw%3D=
0> https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html

*   This ballot does not appear to conflict with any other ballots that
are currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and
endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

- Motion Begins -

This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" ("Baseline Requirements"),
based on Version 2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates as specified in the following
Redline:

Here is a link to the immutable GitHub redline:
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807
c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0 

- Motion Ends -

This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:

Discussion (7+ days)

*   Start time: 2024-04-18 00:00:00 UTC
*   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*   Start time: 2024-04-26 00:00:00 UTC
*   End time: 2024-05-03 00:00:00 UTC



smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Backman, Antti via Servercert-wg]

Telia Company votes ‘Yes’ on Ballot SC-073 

//Antti 


From: Servercert-wg  on behalf of Wayne 
Thayer via Servercert-wg 
Date: Friday, 26. April 2024 at 3.00
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys 

Purpose of Ballot SC-073 
This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3 
<_blank>: 

* 6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall be 
made aware of compromised keys using their existing notification mechanism(s). 
* 6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024. 
Notes: 

* This ballot builds on the extensive work done by SSL.com in creating ballot 
SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated. 
* Thanks to Rob Stradling of Sectigo for the generation and publication of the 
set of Debian weak keys referenced in this ballot. 
* The Debian weak keys requirements have been discussed extensively, including 
in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html 
<_blank> and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
<_blank> 
* This ballot does not appear to conflict with any other ballots that are 
currently under discussion. 

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust. 
— Motion Begins — 
This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3. 
MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline: 
Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 <_blank> 
— Motion Ends — 
This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows: 
Discussion (7+ days) 

* Start time: 2024-04-18 00:00:00 UTC 
* End time: 2024-04-26 00:00:00 UTC 
Vote for approval (7 days) 

* Start time: 2024-04-26 00:00:00 UTC 
* End time: 2024-05-03 00:00:00 UTC 







smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Tom Zermeno via Servercert-wg]

SSL.com votes “Yes” on SC-073. 

 

-Tom

SSL.com

 

From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Thursday, April 25, 2024 7:00 PM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys

 

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3 
<http://6.1.1.3> :

*   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs 
shall be made aware of compromised keys using their existing notification 
mechanism(s).
*   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

*   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
*   Thanks to Rob Stradling of Sectigo for the generation and publication 
of the set of Debian weak keys referenced in this ballot.
*   The Debian weak keys requirements have been discussed extensively, 
including in the following threads:  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and  
<https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html> 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
*   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.

 

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline:  
<https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0>
 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

*   Start time: 2024-04-18 00:00:00 UTC
*   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

*   Start time: 2024-04-26 00:00:00 UTC
*   End time: 2024-05-03 00:00:00 UTC



smime.p7s
Description: S/MIME cryptographic signature
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[xiulei--- via Servercert-wg]

GDCA votes YES on Ballot SC-073.
Thanks.
 
From: Wayne Thayer via Servercert-wg
Date: 2024-04-26 08:00
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys
Purpose of Ballot SC-073
This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3:
6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall be 
made aware of compromised keys using their existing notification mechanism(s).
6.1.1.3(5) improves guidance for CAs around the detection of weak keys. Should 
this ballot pass, these changes become effective on November 15, 2024.
Notes:
This ballot builds on the extensive work done by SSL.com in creating ballot 
SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
Thanks to Rob Stradling of Sectigo for the generation and publication of the 
set of Debian weak keys referenced in this ballot.
The Debian weak keys requirements have been discussed extensively, including in 
the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
This ballot does not appear to conflict with any other ballots that are 
currently under discussion.

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
— Motion Begins —
This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.
MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:
Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 
— Motion Ends —
This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:
Discussion (7+ days)
Start time: 2024-04-18 00:00:00 UTC
End time: 2024-04-26 00:00:00 UTC
Vote for approval (7 days)
Start time: 2024-04-26 00:00:00 UTC
End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[chtsai]

TWCA  votes "Yes" to Ballot SC-073

From: Servercert-wg  On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Friday, April 26, 2024 8:00 AM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3<http://6.1.1.3>:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).
  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.
  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.



The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC
  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC
  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[lv_hui--- via Servercert-wg]

iTrusChina  votes "yes" to ballot SC-073



lv_...@itrus.cn
 
From: Wayne Thayer via Servercert-wg
Date: 2024-04-26 08:00
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys
Purpose of Ballot SC-073
This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3:
6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall be 
made aware of compromised keys using their existing notification mechanism(s).
6.1.1.3(5) improves guidance for CAs around the detection of weak keys. Should 
this ballot pass, these changes become effective on November 15, 2024.
Notes:
This ballot builds on the extensive work done by SSL.com in creating ballot 
SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
Thanks to Rob Stradling of Sectigo for the generation and publication of the 
set of Debian weak keys referenced in this ballot.
The Debian weak keys requirements have been discussed extensively, including in 
the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 
This ballot does not appear to conflict with any other ballots that are 
currently under discussion.

The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
— Motion Begins —
This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.
MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:
Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 
— Motion Ends —
This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:
Discussion (7+ days)
Start time: 2024-04-18 00:00:00 UTC
End time: 2024-04-26 00:00:00 UTC
Vote for approval (7 days)
Start time: 2024-04-26 00:00:00 UTC
End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[仇大伟 via Servercert-wg]

CFCA votes "yes".


-原始邮件-
发件人:"Wayne Thayer via Servercert-wg" 
发送时间:2024-04-26 08:00:26 (星期五)
收件人: "CA/B Forum Server Certificate WG Public Discussion List" 

主题: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak 
Keys



Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 6.1.1.3:

6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall be 
made aware of compromised keys using their existing notification mechanism(s).

6.1.1.3(5) improves guidance for CAs around the detection of weak keys. Should 
this ballot pass, these changes become effective on November 15, 2024.

Notes:

This ballot builds on the extensive work done by SSL.com in creating ballot 
SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

Thanks to Rob Stradling of Sectigo for the generation and publication of the 
set of Debian weak keys referenced in this ballot.

The Debian weak keys requirements have been discussed extensively, including in 
the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html 

This ballot does not appear to conflict with any other ballots that are 
currently under discussion.




The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
 

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

Start time: 2024-04-18 00:00:00 UTC

End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

Start time: 2024-04-26 00:00:00 UTC

End time: 2024-05-03 00:00:00 UTC

___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Dimitris Zacharopoulos (HARICA) via Servercert-wg]

HARICA votes "yes" to ballot SC-073.

On 26/4/2024 3:00 π.μ., Wayne Thayer via Servercert-wg wrote:


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the 
Issuance and Management of Publicly-Trusted TLS Server Certificates 
related to weak and compromised private keys. These changes lie 
primarily in Section 6.1.1.3 :


 *

6.1.1.3(4) clarifies that, for the purpose of this requirement,
CAs shall be made aware of compromised keys using their existing
notification mechanism(s).

 *

6.1.1.3(5) improves guidance for CAs around the detection of weak
keys. Should this ballot pass, these changes become effective on
November 15, 2024.

Notes:

 *

This ballot builds on the extensive work done by SSL.com in
creating ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions
are appreciated.

 *

Thanks to Rob Stradling of Sectigo for the generation and
publication of the set of Debian weak keys referenced in this ballot.

 *

The Debian weak keys requirements have been discussed extensively,
including in the following threads:
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html

and
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html


 *

This ballot does not appear to conflict with any other ballots
that are currently under discussion.


The following motion has been proposed by Wayne Thayer of Fastly, and 
endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.


— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and 
Management of Publicly-Trusted Certificates” (“Baseline 
Requirements”), based on Version 2.0.3.


MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following 
Redline:


Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0 



— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for 
approval of this ballot is as follows:


Discussion (7+ days)

 *

Start time: 2024-04-18 00:00:00 UTC

 *

End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

 *

Start time: 2024-04-26 00:00:00 UTC

  * End time: 2024-05-03 00:00:00 UTC


___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Brittany Randall via Servercert-wg]

GoDaddy votes yes to ballot SC-073

Best,

Brittany

From: Servercert-wg  on behalf of Wayne 
Thayer via Servercert-wg 
Sent: Thursday, April 25, 2024 5:00 PM
To: CA/B Forum Server Certificate WG Public Discussion List 

Subject: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys

Caution: This email is from an external sender. Please do not click links or 
open attachments unless you recognize the sender and know the content is safe. 
Forward suspicious emails to isitbad@.



Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3<http://6.1.1.3/>:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).

  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.

  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html

  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.


The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC

  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC

  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Wayne Thayer via Servercert-wg]

Fastly votes Yes to ballot SC-073.

- Wayne

On Thu, Apr 25, 2024 at 5:00 PM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:

> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted TLS Server Certificates related to weak
> and compromised private keys. These changes lie primarily in Section
> 6.1.1.3:
>
>-
>
>6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
>shall be made aware of compromised keys using their existing notification
>mechanism(s).
>-
>
>6.1.1.3(5) improves guidance for CAs around the detection of weak
>keys. Should this ballot pass, these changes become effective on November
>15, 2024.
>
> Notes:
>
>-
>
>This ballot builds on the extensive work done by SSL.com in creating
>ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
>-
>
>Thanks to Rob Stradling of Sectigo for the generation and publication
>of the set of Debian weak keys referenced in this ballot.
>-
>
>The Debian weak keys requirements have been discussed extensively,
>including in the following threads:
>https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
>and
>https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
>
>-
>
>This ballot does not appear to conflict with any other ballots that
>are currently under discussion.
>
>
> The following motion has been proposed by Wayne Thayer of Fastly, and
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.3.
>
> MODIFY the Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates as specified in the following
> Redline:
>
> Here is a link to the immutable GitHub redline:
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>-
>
>Start time: 2024-04-18 00:00:00 UTC
>-
>
>End time: 2024-04-26 00:00:00 UTC
>
> Vote for approval (7 days)
>
>-
>
>Start time: 2024-04-26 00:00:00 UTC
>- End time: 2024-05-03 00:00:00 UTC
>
> ___
> Servercert-wg mailing list
> Servercert-wg@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Kateryna Aleksieieva via Servercert-wg]

Certum votes "Yes" to Ballot SC-073


Best regards,

Kateryna Aleksieieva


Od: Servercert-wg  w imieniu użytkownika 
Wayne Thayer via Servercert-wg 
Wysłane: piątek, 26 kwietnia 2024 02:00
Do: CA/B Forum Server Certificate WG Public Discussion List 

Temat: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and 
Weak Keys


Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance and 
Management of Publicly-Trusted TLS Server Certificates related to weak and 
compromised private keys. These changes lie primarily in Section 
6.1.1.3<http://6.1.1.3/>:

  *   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs shall 
be made aware of compromised keys using their existing notification 
mechanism(s).

  *   6.1.1.3(5) improves guidance for CAs around the detection of weak keys. 
Should this ballot pass, these changes become effective on November 15, 2024.

Notes:

  *   This ballot builds on the extensive work done by SSL.com in creating 
ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.

  *   Thanks to Rob Stradling of Sectigo for the generation and publication of 
the set of Debian weak keys referenced in this ballot.

  *   The Debian weak keys requirements have been discussed extensively, 
including in the following threads: 
https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html and 
https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html

  *   This ballot does not appear to conflict with any other ballots that are 
currently under discussion.


The following motion has been proposed by Wayne Thayer of Fastly, and endorsed 
by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management 
of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 
2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of 
Publicly-Trusted TLS Server Certificates as specified in the following Redline:

Here is a link to the immutable GitHub redline: 
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval 
of this ballot is as follows:

Discussion (7+ days)

  *   Start time: 2024-04-18 00:00:00 UTC

  *   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

  *   Start time: 2024-04-26 00:00:00 UTC

  *   End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Ben Wilson via Servercert-wg]

Mozilla votes "yes".

On Fri, Apr 26, 2024 at 2:00 AM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:

> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted TLS Server Certificates related to weak
> and compromised private keys. These changes lie primarily in Section
> 6.1.1.3:
>
>-
>
>6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
>shall be made aware of compromised keys using their existing notification
>mechanism(s).
>-
>
>6.1.1.3(5) improves guidance for CAs around the detection of weak
>keys. Should this ballot pass, these changes become effective on November
>15, 2024.
>
> Notes:
>
>-
>
>This ballot builds on the extensive work done by SSL.com in creating
>ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
>-
>
>Thanks to Rob Stradling of Sectigo for the generation and publication
>of the set of Debian weak keys referenced in this ballot.
>-
>
>The Debian weak keys requirements have been discussed extensively,
>including in the following threads:
>https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
>and
>https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html
>
>-
>
>This ballot does not appear to conflict with any other ballots that
>are currently under discussion.
>
>
> The following motion has been proposed by Wayne Thayer of Fastly, and
> endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.3.
>
> MODIFY the Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates as specified in the following
> Redline:
>
> Here is a link to the immutable GitHub redline:
> https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0
>
>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>-
>
>Start time: 2024-04-18 00:00:00 UTC
>-
>
>End time: 2024-04-26 00:00:00 UTC
>
> Vote for approval (7 days)
>
>-
>
>Start time: 2024-04-26 00:00:00 UTC
>- End time: 2024-05-03 00:00:00 UTC
>
> ___
> Servercert-wg mailing list
> Servercert-wg@cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg

[Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

[Wayne Thayer via Servercert-wg]

Purpose of Ballot SC-073

This ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates related to weak
and compromised private keys. These changes lie primarily in Section 6.1.1.3
:

   -

   6.1.1.3(4) clarifies that, for the purpose of this requirement, CAs
   shall be made aware of compromised keys using their existing notification
   mechanism(s).
   -

   6.1.1.3(5) improves guidance for CAs around the detection of weak keys.
   Should this ballot pass, these changes become effective on November 15,
   2024.

Notes:

   -

   This ballot builds on the extensive work done by SSL.com in creating
   ballot SC-59v2 Weak Key Guidance. SSL.com’s contributions are appreciated.
   -

   Thanks to Rob Stradling of Sectigo for the generation and publication of
   the set of Debian weak keys referenced in this ballot.
   -

   The Debian weak keys requirements have been discussed extensively,
   including in the following threads:
   https://lists.cabforum.org/pipermail/servercert-wg/2024-March/004291.html
   and
   https://lists.cabforum.org/pipermail/servercert-wg/2024-April/004422.html

   -

   This ballot does not appear to conflict with any other ballots that are
   currently under discussion.


The following motion has been proposed by Wayne Thayer of Fastly, and
endorsed by Brittany Randall of GoDaddy and Bruce Morton of Entrust.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
based on Version 2.0.3.

MODIFY the Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates as specified in the following
Redline:

Here is a link to the immutable GitHub redline:
https://github.com/cabforum/servercert/compare/a65402cff89affe1fc0a1f0e49807c7e42e1608a...bee10c8e4a56815bffd59fab12cbd4044baa7cc0


— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:

Discussion (7+ days)

   -

   Start time: 2024-04-18 00:00:00 UTC
   -

   End time: 2024-04-26 00:00:00 UTC

Vote for approval (7 days)

   -

   Start time: 2024-04-26 00:00:00 UTC
   - End time: 2024-05-03 00:00:00 UTC
___
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg