Dear Dimitris (and all),
I don’t think that „SHOULD effective date of 15 September, 2024” is necessary.
It’s been long-standing best practice to do some form of linting. So making it
mandatory in March 2025 shouldn’t be a problem.
However, I’m wondering how “…checked for conformance with the
Dear colleagues,
We have started internal discussions about possible architectures to implement
this new feature. This of course also involves the vendor of our CA system
because architecture of the remote perspectives has big impacts on the changes
needed in the CA system.
One of the ideas
I'd like to point out that probably many CA is not a Software-Development
company and relies on suppliers for their CA systems.
Rgds
Roman
From: Servercert-wg On Behalf Of Martijn
Katerbarg via Servercert-wg
Sent: Dienstag, 21. Mai 2024 10:09
To: Dimitris Zacharopoulos ; CA/B Forum Server
On 15/5/2024 7:35 π.μ., Roman Fischer via Servercert-wg wrote:
Dear Aaron,
Interesting line of argumentation. Wouldn’t that conclude that -every-
mis-issuance of a leaf certificate would be a violation of "all certificates
that it issues MUST comply with one of the following certificate pro
Dear Aaron,
Interesting line of argumentation. Wouldn’t that conclude that -every-
mis-issuance of a leaf certificate would be a violation of "all certificates
that it issues MUST comply with one of the following certificate profiles" and
thus would require the ICA to be revoked? That can’t be
Hi Wendy,
I would definitely go for c) because the documents are overall not standardized
enough to do any kind of automatic parsing where a) or b) would maybe help.
Rgds
Roman
From: Servercert-wg On Behalf Of Wendy
Brown - QT3LB-C via Servercert-wg
Sent: Donnerstag, 9. Mai 2024 16:58
To:
Thanks Wayne for your efforts! I like the current wording very much.
Kind regards
Roman
From: Servercert-wg On Behalf Of Wayne
Thayer via Servercert-wg
Sent: Freitag, 12. April 2024 23:36
To: Clint Wilson ; ServerCert CA/BF
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
Could we limit the Debian Weak keys to key sizes up to RSA 4096 bit? I don’t
think that anybody “accidentally” creates an 8192 bit RSA key on a system
vulnerable to Debian Weak keys.
Kind regards
Roman
PS: Can somebody explain, why we only test close primes with 100 rounds and not
e.g. 1000?
I would propose a pragmatic approach: Limit the Debian weak keys to be
considered/rejected by CAs to an upper bound (e.g. 4096 or 8192 bits) assuming
that any weak key above that has been intentionally manufactured by a security
researcher.
-Roman
From: Servercert-wg On Behalf Of Wayne
if the above-referenced
draft is generally acceptable, please contact me, and we can work out any
remaining details.
Thanks,
Ben
On Tue, Jul 25, 2023 at 11:07 PM Roman Fischer via Servercert-wg
mailto:servercert-wg@cabforum.org>> wrote:
Dear Ben,
I like your two new suggestions as they offe
ht be far more useful.
Metrics like participation are rather intrusive and onerous, except to those
who are trying to game them, and those trying to game such metrics will succeed
with little or no effort.
-Tim
From: Servercert-wg
mailto:servercert-wg-boun...@cabforum.org>>
On Behalf Of R
l succeed
with little or no effort.
-Tim
From: Servercert-wg
mailto:servercert-wg-boun...@cabforum.org>>
On Behalf Of Roman Fischer via Servercert-wg
Sent: Wednesday, July 12, 2023 7:23 AM
To: CA/B Forum Server Certificate WG Public Discussion List
mailto:servercert-wg@cabforum.org>&g
Dear Ben,
Mandatory participation has in my experience never resulted in more or better
discussions. People will dial into the telco and let it run in the background
to “earn the credits”.
Also, what would happen after the 90 day suspension? Would the organization be
removed as a CA/B member?
13 matches
Mail list logo