CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 29 – Guidelines Renumbering

Ballot 29 – Guidelines Renumbering

Ballot 29 – Guidelines Renumbering (Passed)

Motion

Tim Moses has made the following motion, and Bjorn Vermo and Nick Hales have endorsed it:

Motion begins

Effective upon ratification of Version 1.2, the Guidelines should be renumbered in accordance with the following table.

Proposed section number -> Current section label

Front matter -> Front matter, A.1.(c) Guidelines Issuing Authority, A.1.(d) Revisions to Guidelines paras 1 and 2

ToC -> ToC

  1. Scope -> A.1.(b) Scope

  2. References -> Requires new material

  3. Definitions -> DEFINITIONS

  4. Abbreviations and acronyms -> Requires new material

  5. Conventions -> A.1.(a) para 2 General, A.1.(d) Revisions to Guidelines para 3

  6. Basic concept of the EV certificate -> A.1.(a) para 1 General, B. Basic concept of the EV certificate

6.1 Purpose of EV certificates -> 2. Purpose of EV Certificates

6.1.1 Primary Purposes -> (a) Primary Purposes

6.1.2 Secondary Purposes -> (b) Secondary Purposes

6.1.3 Excluded Purposes -> (c) Excluded Purposes

6.2 EV certificate warranties and representations -> 3. EV Certificate Warranties and Representations

6.2.1 By the CA and Root CA -> (a) By the CA and Root CA

6.2.2 By the Subscriber -> (b) By the Subscriber

  1. Community and applicability -> C. COMMUNITY AND APPLICABILITY

7.1 Issuance of EV Certificates -> 4. Issuance of EV Certificates

7.1.1 Compliance -> (a) Compliance

7.1.2 EV Policies -> (b) EV Policies

7.1.3 Insurance -> (c) Insurance

7.1.4 Audit Requirements -> (d) Audit Requirements

7.2 Obtaining EV Certificates -> 5. Obtaining EV Certificates

7.2.1 General -> (a) General

7.2.2 Private Organization Subjects -> (b) Private Organization Subjects

7.2.3 Government Entity Subjects -> (c) Government Entity Subjects

7.2.4 Business Entities -> (d) Business Entities

7.2.5 Non-Commercial Entity Subjects -> (d) Non-Commercial Entity Subjects

  1. EV certificate content and profile -> D. EV CERTIFICATE CONTENT AND PROFILE

8.1 EV Certificate Content Requirements -> 6. EV Certificate Content Requirements

8.1.1 Subject Organization Information -> (a) Subject Organization Information

8.2 EV Certificate Policy Identification Requirements -> 7. EV Certificate Policy Identification Requirements

8.2.1 EV Subscriber Certificates -> (a) EV Subscriber Certificates

8.2.2 EV Subordinate CA Certificates -> (b) EV Subordinate CA Certificates

8.2.3 Root CA Certificates -> (c) Root CA Certificates

8.3 Maximum Validity Period -> 8. Maximum Validity Period

8.3.1 For EV Certificate -> (a) For EV Certificate

8.3.2 For Validated Data -> (b) For Validated Data

8.4 Other Technical Requirements for EV Certificates -> 9. Other Technical Requirements for EV Certificates

  1. EV Certificate request requirements -> E. EV CERTIFICATE REQUEST REQUIREMENTS

9.1 General Requirements -> 10. General Requirements

9.1.1 Documentation Requirements -> (a) Documentation Requirements

9.1.2 Role Requirements -> (b) Role Requirements

9.2 EV Certificate Request Requirements -> 11. EV Certificate Request Requirements

9.2.1 General -> (a) General

9.2.2 Request and Certification -> (b) Request and Certification

9.2.3 Information Requirements -> (c) Information Requirements

9.3 Subscriber Agreement Requirements -> 12. Subscriber Agreement Requirements

9.3.1 General -> (a) General

9.3.2 Agreement Requirements -> (b) Agreement Requirements

  1. Information verification requirements -> F. INFORMATION VERIFICATION REQUIREMENTS

10.1 General Overview -> 13. General Overview

10.1.1 Verification Requirements – Overview -> (a) Verification Requirements – Overview

10.1.2 Acceptable Methods of Verification – Overview -> (b) Acceptable Methods of Verification – Overview

10.2 Verification of Applicant’s Legal Existence and Identity -> 14. Verification of Applicant’s Legal Existence and Identity

10.2.1 Verification Requirements -> (a) Verification Requirements

10.2.2 Acceptable Method of Verification -> (b) Acceptable Method of Verification

10.3 Verification of Applicant’s Legal Existence and Identity – Assumed Name -> 15. Verification of Applicant’s Legal Existence and Identity – Assumed Name

10.3.1 Verification Requirements -> (a) Verification Requirements

10.3.2 Acceptable Method of Verification -> (b) Acceptable Method of Verification

10.4 Verification of Applicant’s Physical Existence -> 16. Verification of Applicant’s Physical Existence

10.4.1 Address of Applicant’s Place of Business -> (a) Address of Applicant’s Place of Business

10.4.2 Telephone Number for Applicant’s Place of Business -> (b) Telephone Number for Applicant’s Place of Business

10.5 Verification of Applicant’s operational existence -> 17. Verification of Applicant’s Operational Existence

10.5.1 Verification Requirements -> (a) Verification Requirements

10.5.2 Acceptable Methods of Verification -> (b) Acceptable Methods of Verification

10.6 Verification of Applicant’s Domain Name -> 18. Verification of Applicant’s Domain Name

10.6.1 Verification Requirements -> (a) Verification Requirements

10.6.2 Acceptable Methods of Verification -> (b) Acceptable Methods of Verification

10.7 Verification of Name, Title, and Authority of Contract Signer and Certificate Approver -> 19. Verification of Name, Title and Authority of Contract Signer & Certificate Approver

10.7.1 Verification Requirements -> (a) Verification Requirements

10.7.2 Acceptable Methods of Verification – Name, Title and Agency -> (b) Acceptable Methods of Verification – Name, Title, and Agency

10.7.3 Acceptable Methods of Verification – Authorization -> (c) Acceptable Methods of Verification – Authorization

10.7.4 Pre-Authorized Certificate Approver -> (d) Pre-Authorized Certificate Approver

10.8 Verification of Signature on Subscriber Agreement and EV Certificate Requests -> 20. Verification of Signature on Subscriber Agreement and EV Certificate Requests

10.8.1 Verification Requirements -> (a) Verification Requirements

10.8.2 Acceptable Methods of Signature Verification -> (b) Acceptable Methods of Signature Verification

10.9 Verification of Approval of EV Certificate Request -> 21. Verification of Approval of EV Certificate Request

10.9.1 Verification Requirements -> (a) Verification Requirements

10.9.2 Acceptable Methods of Verification -> (b) Acceptable Methods of Verification

10.10 Verification of Certain Information Sources -> 22. Verification of Certain Information Sources

10.10.1 Verified Legal Opinion -> (a) Verified Legal Opinion

10.10.2 Verified Accountant Letter -> (b) Verified Accountant Letter

10.10.3 Face-to-face Validation -> (c) Face-to-face validation

10.10.4 Independent confirmation from Applicant -> (d) Independent Confirmation From Applicant

10.10.5 Qualified Independent Information Sources (QIIS) -> (e) Qualified Independent Information Sources (QIIS)

10.10.6 Qualified Government Information Source (QGIS) -> (f) Qualified Government Information Sources (QGIS)

10.10.7 Qualified Government Tax Information Source (QGTIS) -> (g) Qualified Government Tax Information Sources (QGTIS)

10.11 Other Verification Requirements -> 23. Other Verification Requirements

10.11.1 High Risk Status -> (a) High Risk Status

10.11.2 Denied Lists and Other Legal Black Lists -> (b) Denied Lists and Other Legal Black Lists

10.12 Final Cross-Correlation and Due Diligence -> 24. Final Cross-Correlation and Due Diligence

10.13 EV Certificate Renewal Verification Requirements -> 25. EV Certificate Renewal Verification Requirements

10.13.1 Validation for Renewal Requests -> (a) Validation for Renewal Requests

10.13.2 Validation for Reissuance Requests -> (b) Validation for Reissuance Requests

10.13.3 Renewal Exceptions -> (c) Renewal Exceptions

  1. Certificate status checking and revocation issues -> G. CERTIFICATE STATUS CHECKING AND REVOCATION ISSUES

11.1 EV Certificate Status Checking -> 26. EV Certificate Status Checking

11.1.1 Repository -> (a) Repository

11.1.2 Reasonable User Experience -> (b) Reasonable User Experience

11.1.3 Response Time -> (c) Response Time

11.1.4 Deletion of Entries -> (d) Deletion of Entries

11.2 EV Certificate Revocation -> 27. EV Certificate Revocation

11.2.1 Revocation Guidelines and Capability -> (a) Revocation Guidelines and Capability

11.2.2 Revocation Events -> (b) Revocation Events

11.3 EV Certificate Problem Reporting and Response Capability -> 28. EV Certificate Problem Reporting and Response Capability

11.3.1 Reporting -> (a) Reporting

11.3.2 Investigation -> (b) Investigation

11.3.3 Response -> (c) Response

  1. Employee and third party issues -> H. EMPLOYEE AND THIRD PARTY ISSUES

12.1 Trustworthiness and Competence -> 29. Trustworthiness and Competence

12.1.1 Identity and Background Verification -> (a) Identity and Background Verification

12.1.2 Training and Skills Level -> (b) Training and Skills Level

12.1.3 Separation of Duties -> (c) Separation of Duties

12.2 Delegation of Functions to Registration Authorities and Subcontractors -> 30. Delegation of Functions to Registration Authorities and Subcontractors

12.2.1 General -> (a) General

12.2.2 Enterprise RAs -> (b) Enterprise RAs

12.2.3 Guidelines Compliance Obligation -> (c) Guidelines Compliance Obligation

12.2.4 Responsibility -> (d) Responsibility

  1. Data and record issues -> I. DATA AND RECORD ISSUES

13.1 Documentation and Audit Trail Requirements -> 31. Documentation and Audit Trail Requirements

13.2 Document Retention -> 32. Document Retention

13.2.1 Audit Log Retention -> (a) Audit Log Retention

13.2.2 Retention of Documentation -> (b) Retention of Documentation

13.3 Reuse and Updating Information and Documentation -> 33. Reuse and Updating Information and Documentation

13.3.1 Use of Documentation to Support Multiple EV Certificates -> (a) Use of Documentation to Support Multiple EV Certificates

13.3.2 Use of Pre-Existing Information or Documentation -> (b) Use of Pre-Existing Information or Documentation

13.4 Data Security -> 34. Data Security

13.4.1 Objectives -> (a) Objectives

13.4.2 Risk Assessment -> (b) Risk Assessment

13.4.3 Security Plan -> (c) Security Plan

13.4.4 Dual Access Control -> (d) Dual Access Control

  1. Compliance -> J. COMPLIANCE

14.1 Audit Requirements -> 35. Audit Requirements

14.1.1 Pre-Issuance Readiness Audit -> (a) Pre-Issuance Readiness Audit

14.1.2 Regular Self Audits -> (b) Regular Self Audits

14.1.3 Annual Independent Audit -> (c) Annual Independent Audit

14.1.4 Auditor Qualification -> (d) Auditor Qualifications

14.1.5 Root Key Generation -> (e) Root Key Generation

  1. Other contractual compliance -> K. OTHER CONTRACTUAL COMPLIANCE

15.1 Privacy/Confidentiality Issues -> 36. Privacy/Confidentiality Issues

15.2 Limitations on EV Certificate Liability -> 37. Limitations on EV Certificate Liability

15.2.1 CA Liability -> (a) CA Liability

15.2.2 Root CA Indemnification -> (b) Root CA Indemnification

Appendix A – Minimum Cryptographic Algorithm and Key Sizes -> Appendix A - Minimum Cryptographic Algorithm and Key Sizes

Appendix B – EV Certificates Required Certificate Extensions -> Appendix B - EV Certificates Required Certificate Extensions

Appendix C – User Agent Verification -> Appendix C - User Agent Verification

Appendix D – Sample Form Legal Opinion Letter -> Appendix D - Sample Form Legal Opinion Letter

Appendix E – Sample Accountant Letters Confirming Specified Information -> Appendix E - Sample Accountant Letters Confirming Specified Information

Appendix F – Foreign Organization Name Guidelines -> Appendix F - Foreign organization name guidelines

Appendix G – Code-signing: Introduction (Informative) -> Appendix G - Code-Signing: Introduction

Appendix H – Code-signing: Requirements for Certification Authorities (Normative) -> Appendix H - Code-Signing: Requirements for Certification Authorities

Appendix I – Code-signing: Requirements for Timestamp Authorities (Normative) -> Appendix I - Code-Signing: Requirements for Timestamp Authorities

Appendix J – Code-signing: Requirements for Signing Authorities (Normative) -> Appendix J - Code-Signing: Requirements for Signing Authorities

Motion ends

The ballot review period comes into effect at 2100 UTC on 30 June 09 and will close at 2100 UTC on 7 July 2009. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2100 UTC on 14 July 2009.

Votes must be cast by ‘reply all’ to this email.

A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).