Home » All CA/Browser Forum Posts » Ballot 87 – Instant Runoff Ballot on Governance

Ballot 87 – Instant Runoff Ballot on Governance

Instant Runoff Ballot on Governance

Voting by instant-runoff

17 Members Voted

Mozilla: PayPal,DigiCert, Trend, No Change, Microsoft

StartCom: TrendMicro, No Change

Trustwave: PayPal, DigiCert

TrendMicro: TrendMicro, No change, Microsoft, DigiCert, PayPal

Logius PKIoverheid: TrendMicro, Microsoft

SSC: TrendMicro, No Change

Symantec: Microsoft, DigiCert, TrendMicro, PayPal, No Change

DigiCert: DigiCert, Microsoft, TrendMicro, PayPal

BuyPass: DigiCert, TrendMicro, PayPal, Microsoft

Opera: PayPal, Microsoft, DigiCert, TrendMicro

‘QuoVadis: DigiCert, Microsoft, TrendMicro

GlobalSign: TrendMicro, DigiCert, Microsoft, PayPal, No Change

GoDaddy: TrendMicro, Microsoft, DigiCert

SwissSign: TrendMicro, Microsoft, No Change, DigiCert, PayPal

Comodo: DigiCert, TrendMicro, Microsoft

Microsoft: DigiCert, Microsoft, TrendMicro

Google: PayPal, DigiCert, TrendMicro, No Change, Microsoft

Runoff Results

Round 1 – Trend Micro 7, DigiCert 5, PayPal 4, Microsoft 1, No Change 0

Round 2 – Trend Micro 7, DigiCert 5, PayPal 4, Microsoft 1

Round 3 – Trend Micro 7, DigiCert 6, PayPal 4

Round 4 – Trend Micro 7, DigiCert 10

Result: Proposals of Trend Micro and DigiCert will proceed to further vote.

Ballot 87 Text

This is an instant run-off ballot to eliminate all but two of the following proposals (listed in alphabetical order):

• DigiCert Proposal

• Microsoft Proposal

• No Change Proposal

• PayPal Proposal

• Trend Micro Proposal

Each voting member may assign the numbers 1 to 5 to the proposals in order of preference (1 indicating their most preferred choice).

Each member who votes shall (at least) assign the number ‘1’, and may assign further numbers up to and including ‘5’.

Votes ranked ‘1’ shall be counted and the proposal with the fewest votes shall be eliminated.

The votes of the corresponding members that voted ‘1’ for a proposal eliminated shall be reassigned to the proposal ranked ‘2’ by those members.

Where a member has not identified a proposal with rank ‘2’, his or her vote shall not be reassigned.

This procedure shall be repeated, counting reassigned votes, until just two proposals remain.

Votes must clearly indicate their preferred options.

Unclear responses will not be counted.

The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Votes on this Ballot 87 must be cast by posting an on-list reply to this thread.

Latest releases

Server Certificate Requirements
SC095v3: Clean-up 2025 - Apr 2, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025