Fastly votes Yes to ballot SC-073.
- Wayne
On Thu, Apr 25, 2024 at 5:00 PM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:
> Purpose of Ballot SC-073
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Pu
Purpose of Ballot SC-073
This ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates related to weak
and compromised private keys. These changes lie primarily in Section 6.1.1.3
:
-
6.1.1.3(4) clarifies that, for
Thanks Ben!
The second commit you linked removes the effective date for CP/CPS updates
from section 9.6.3. While I'm not convinced that this is necessary, it
seems to add some clarity. Was that paragraph meant to remain in place? If
not, what is the reasoning?
Otherwise I am also happy with
Purpose of Ballot SC-073
This ballot proposes updates to the Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server Certificates related to weak
and compromised private keys. These changes lie primarily in Section 6.1.1.3
:
-
6.1.1.3(4) clarifies that, for
On Tue, Apr 16, 2024 at 3:23 PM Rob Stradling wrote:
> > Rob Stradling: I would like to import your repo to
> github.com/cabforum/Debian-weak-keys. May I have your permission to do so?
>
> Hi Wayne. I put together the repositories at
> https://github.com/CVE-2008-0166 a few years ago with the
I have three questions about the implications of changes proposed by this
ballot:
1. Section 9.6.1 adds language that imposes or makes the following
requirements explicit:
> i. the Subscriber has been provided with the most current version of the
> Subscriber Agreement;
> ii. the applicable
t; of keys, what changes are expected then?
>
> Regards,
> Tomas
>
>
> --------------
> *From:* Servercert-wg on behalf of
> Wayne Thayer via Servercert-wg
> *Sent:* Friday, April 12, 2024 11:35:42 PM
> *To:* Clint Wilson ; ServerCert CA/BF <
> servercert-wg@cabforum.org>
> *Subject
I've updated https://github.com/wthayer/servercert/pull/1/files as follows
to exclude large key sizes:
In the case of Debian weak keys vulnerability (
> https://wiki.debian.org/SSLkeys)), the CA SHALL reject all keys found at
> https://github.com/cabforum/debian-weak-keys/ for each key type (e.g.
Thank you Clint and Aaron, this is helpful. Here is what I propose:
In the case of Debian weak keys vulnerability ([
> https://wiki.debian.org/SSLkeys)]), the CA SHALL reject all keys found at
> [https://github.com/cabforum/debian-weak-keys/] for each key type (e.g.
> RSA, ECDSA) and size listed
equirement to check Debian
> weak keys only with sizes up to RSA 4096 under the logic that no one would
> “accidentally” create an 8192 bit RSA key on a system vulnerable to Debian
> Weak keys
>
> FWIW, https://github.com/CVE-2008-0166/private_keys already has all of
> the possibl
CAs to issue certs containing abnormally sized Debian
weak keys.
I would like to hear from other members (especially Apple) if you prefer or
object to either of these alternatives?
Thanks,
Wayne
On Thu, Mar 28, 2024 at 4:13 PM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org>
feedback from any member that finds this
language unacceptable, or that has suggestions to improve it.
Thanks,
Wayne
On Fri, Mar 15, 2024 at 11:19 AM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:
> On yesterday's SCWG teleconference, Mads suggested that a way forwar
>
> I don’t have any particular concern with the change itself, to be clear,
> but the motivation behind this — and the abruptness of the introduction of
> the topic — remain opaque to me.
It appears to me that this bug is the motivation for this ballot:
could
> have control over a common set of weak keys using common
> parameters/algorithms which could be enforced by all CAs.
>
> Dimitris.
>
> On 9/3/2024 12:05 π.μ., Wayne Thayer via Servercert-wg wrote:
>
> Hi Clint,
>
> Thank you for your res
Hi Clint,
Thank you for your response. Unfortunately, it leads me to the conclusion
that there is not a path forward and we're stuck with the status quo.
Having said that, I'll reply to a few of your points below and encourage
others to do the same if there is a desire to move forward with an
26, 2024 at 1:24 PM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:
> Martijn,
>
> The purpose of the first weak keys ballot was to make the requirements
> more explicit. If I correctly understand your proposal, by removing the
> exception for Debian
> On Fri, Feb 23, 2024 at 2:19 AM Martijn Katerbarg <
> martijn.katerb...@sectigo.com> wrote:
>
> Wayne,
>
> Apologies if I’ve missed something in discussions, but why exactly are we
> removing the Debian Weak Keys language, and even explicitly mentioned that
>
ion of the list
> requiring CAs to reject certificate requests?
>
>
>
> My question stems from the abnormal line spacing and indention of the
> statement, which stands out from the surrounding text.
>
>
>
> Thanks,
>
>
>
> Tom
>
>
>
> *From:* S
arg <
> martijn.katerb...@sectigo.com> wrote:
>
> Wayne,
>
> Apologies if I’ve missed something in discussions, but why exactly are we
> removing the Debian Weak Keys language, and even explicitly mentioned that
> CAs do not need to check for them (anymore)?
>
>
>
r them (anymore)?
>
>
> Regards,
>
> Martijn
>
>
>
> *From: *Servercert-wg on behalf of
> Wayne Thayer via Servercert-wg
> *Date: *Thursday, 22 February 2024 at 20:01
> *To: *CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg@cabforum.or
- End: TBD UTC
Vote for approval (7 days):
- Start: TBD UTC
- End: TBD UTC
On Mon, Feb 12, 2024 at 6:12 PM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:
> Thank you fo the feedback Aaron. I agree with both points you made in the
> PR and have updated it to refle
Fastly votes Yes on ballot SC-070.
- Wayne
On Mon, Feb 12, 2024 at 3:55 PM Aaron Gable via Servercert-wg <
servercert-wg@cabforum.org> wrote:
> This ballot aims to clarify the existing language around the use of
> delegated third-parties during domain and IP address control validation. It
>
small comments on the ballot, but on the whole I
> think I like this approach.
>
> Thanks again,
> Aaron
>
> On Mon, Feb 12, 2024 at 8:18 AM Wayne Thayer via Servercert-wg <
> servercert-wg@cabforum.org> wrote:
>
>> Following up from the last SCWG teleconf
Following up from the last SCWG teleconference, I've reviewed the feedback
from the discussion [1] and voting [2] periods for ballot SC-59 Weak Key
Guidance, along with the prior discussions on the "made aware" language in
section 6.1.1.3 [3] and I would like to propose the following Baseline
Fastly votes Yes on ballot SC-68.
- Wayne
On Tue, Jan 23, 2024 at 2:00 AM Dimitris Zacharopoulos (HARICA) via
Servercert-wg wrote:
> This email initiates the voting period for ballot SC-68. Please vote.
>
>
> Purpose of the Ballot
>
> The EV Guidelines have strict rules in the
Hi Clint,
Thank you for helping to unpack my concerns.
On Mon, Jul 17, 2023 at 2:28 PM Clint Wilson wrote:
> Hi Wayne,
>
> I’d like to better understand your worry and perhaps interpretation of BR
> 6.1.1.3(4) and 4.9.1.1(3,4,16). Just to restate for my benefit, the concern
> is that: IF we
26 matches
Mail list logo
