Ballot 99 – Add DSA Keys

Ballot overview

• Ballot 99 – Add DSA Keys was marked Passed on the ballot page.
• The ballot proposed changes to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
• The proposal added DSA-related requirements and also included an ECC assurance recommendation.

Proposed technical changes

• Add a new Appendix A table row for Root CA Certificates, Subordinate CA Certificates, and Subscriber Certificates covering minimum DSA modulus and divisor sizes of L = 2048 with N = 224 or N = 256.
• Revise the SHA-1 language in Table 3 so that SHA-1 may be used with RSA keys until SHA-256 is supported widely by browsers used by a substantial portion of relying-parties worldwide.
• Add a note explaining that L and N are the bit lengths of modulus p and divisor q, as described in FIPS 186-3.
• Add a DSA public key requirement stating that compliant DSA certificates must include all domain parameters.
• Add a DSA validation requirement that the CA must confirm the public key has the unique correct representation and range in the field, and that the key has the correct order in the subgroup.
• Add an ECC recommendation that the CA should confirm the validity of all keys using either the ECC Full Public Key Validation Routine or the ECC Partial Public Key Validation Routine.

Ballot timing

• The review period was scheduled to commence at 21:00 UTC on 19 April 2013 and close at 21:00 UTC on 26 April 2013.
• Unless withdrawn during review, the voting period would start immediately afterward and close at 21:00 UTC on 3 May 2013.

Outcome

• The ballot page explicitly labels the ballot as Passed.
• No IPR exclusion notices are mentioned in the supplied evidence.