CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 168 – Baseline Requirement Corrections – revised

Ballot 168 – Baseline Requirement Corrections – revised

Voting on Ballot 168 (BR Corrections) has now closed. The results are as follows:

From the CAs, we received 25 YES votes, 0 NO votes and 0 Abstentions

NOTE: Due to the membership status of 4 CAs that voted YES (which will be approved on tomorrow’s call), those 4 votes are disqualified, giving us a total of 21 YES votes.

From the Browsers, we received 3 YES votes, 0 NO votes and 0 Abstentions

Therefore the ballot passes, unanimously.

Detailed results can be seen on the ballot tracker (with the CAs whose vote doesn’t count shown in red):

The Chair requests the editor make the ballot updates to the canonical versions of the documents.

Dean Coclin

CA/B Forum Chair

Ballot 168: Baseline Requirements Corrections (Revised)

The following motion has been proposed by Peter Bowen of Amazon and endorsed by Dimitris Zacharopoulos of HARICA and Rich Smith of Comodo:

Background

A number of small corrections and clarifications to the Baseline Requirements have been identified. These are, in general, changes that reflect the existing understanding of the Baseline Requirements by the Forum. Due to the understanding that these primarily represent existing practice, they are combined for efficiency.

Motion begins

Effective the date of passage, the following modifications to the Baseline Requirements are adopted:

In Section 1.6.1:

  • In the definition of “Applicant Representative”, replace “and agrees to the Certificate Terms of Use” with “the Terms of Use” and append “or is the CA” at the end of the definition;

  • In the definition of “Country”, replace “soverign nation” with “Soverign State”;

  • In the definition of “Terms of Use”, append “or is the CA” at the end of the definition;

In Section 1.6.3:

  • Delete RFC2560;

  • Insert “RFC6960, Request for Comments: 6960, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP. Santesson, Myers, Ankney, Malpani, Galperin, Adams, June 2013.”;

  • Delete X.509v3

  • Insert “X.509, Recommendation ITU-T X.509 (10/2012) | ISO/IEC 9594-8:2014 (E), Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks.”

Move the content in section 3.3.1 to section 4.2.1 to become the third paragraph in 4.2.1 and leave section 3.3.1 blank.

In section 4.9.9, replace all occurrences of “RFC2560” with “RFC6960”.

In section 5.2.2, insert “CA” immediately before “Private Key”.

In section 6.1.2, append “without authorization by the Subscriber” to the end of the first sentence.

In section 6.1.6, update the last citation to read: “[Source: Sections 5.6.2.3.2 and 5.6.2.3.3, respectively, of NIST SP 56A: Revision 2]”

In section 6.2, in the second sentence, insert “CA” immediately before both instances of “Private Key”.

In section 6.2.5, append “without authorization by the Subordinate CA” to the end of the sentence.

In sections 7.1.2.1(e) and 7.1.2.2(h) change the organizationName line to read:

– organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”.

In section 7.1.2.3(d), replace the text with “The cA field MUST NOT be true.”

Replace “Subordiate” with “Subordinate” in the title of 7.1.6.3.

In section 9.6.1 item 6:

  • Insert “are the same entity or” immediately prior to “are Affiliated”;

  • Remove “and accepted”.

In section 9.6.3, replace “agreement to the Terms of Use agreement.” with “acknowledgement of the Terms of Use.”

In section 9.6.3 item 2, replace “maintain sole control” with “assure control”.

In the following sections, replace all occurrences of “Subscriber or Terms of Use Agreement” with “Subscriber Agreement or Terms of Use”.

  • Section 1.6.1, in the definition of “Subscriber”

  • Section 4.1.2

  • Section 4.9.1.1

  • Section 4.9.11

  • Section 9.6.1

  • Section 9.6.3

Motion ends

The review period for this ballot shall commence at 1740 UTC on 26 April 2016, and will close at 2200 UTC on 3 May 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 10 May 2016. Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://docs.google.com/spreadsheets/d/1FBsMZjlzyvK3mFR1u4qMqvZwlI86yJ-v0am1pCBo8uI/edit#gid=4 / members/

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).