CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 180 – Readopting the BRs, EVGL, EV Code Signing, and NCSSR Guidelines with Amendments

Ballot 180 – Readopting the BRs, EVGL, EV Code Signing, and NCSSR Guidelines with Amendments

Ballot 180 has passed – see results below.

Ballot 180 Results

CAs – 18 yes, 0 no, 3 abstain (plus one yes vote on the Management list, which will not be counted)

Browsers – 5 yes, 0 no, 0 abstain

Result: Ballot 180 passes (requires 2/3 affirmative vote by CAs and majority affirmative vote by browsers). Quorum is 10 votes – quorum achieved.

CA Votes on Ballot 180:

18 yes on Public list – Amazon, ANF Autoridad de Certif., Buypass, CFCA, Cisco, Comodo, Disig, D-Trust, Entrust, GDCA, GlobalSign, GoDaddy, Harica, Izenpe, SHECA, Symantec, Trustwave, TurkTrust.

3 abstain on Public list – Actalis, Chunghwa Telecom, DigiCert

1 yes on Management list (not counted in vote total) – CNNIC

Browser Votes on Ballot 180:

5 yes on Public list: Apple, Google, Mozilla, Opera, Qihoo 360

The voting period for Ballot 180 has started, and will continue until January 7, 2017 at 22:00 UTC. The ballot is shown below. Please vote this week on this ballot and also on Ballot 181. Bylaw 2.2(d) says “All voting will take place online via the members’ electronic mailing list”, so voting should take place on the management list, .

Ballot 180 – Readopting the BRs, EVGL, EV Code Signing, and NCSSR Guidelines with Amendments

The following motion has been proposed by Kirk Hall of Entrust and endorsed by Peter Bowen of Amazon and Virginia Fournier of Apple as a Final Guideline:

  • MOTION BEGINS –

In accordance with the Bylaws and Intellectual Property Rights (IPR) Policy of the CA/Browser Forum (the “Forum”), the following Guidelines:

  • Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates (BRs)
  • Guidelines for the Issuance and Management of Extended Validation Certificates (EVGL)
  • Guidelines for the Issuance and Management of Extended Validation Code Signing Certificates, and
  • Network and Certificate System Security Requirements,

all as previously approved by all ballots up to and including Ballot 175, are hereby readopted by this Ballot, with the following amendments.

  1. BR 3.2.2.4 is amended to read in its entirety as follows:

3.2.2.4 Validation of Domain Authorization or Control

This section defines the permitted processes and procedures for validating the Applicant’s ownership or control of the domain.

The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate by using any method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the Fully Qualified Domain Name (FQDN).

Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant’s Parent Company, Subsidiary Company, or Affiliate.

  1. EVGL 11.7 is amended to read in its entirety as follows:

11.7.1. Verification Requirements

(1) For each Fully-Qualified Domain Name listed in a Certificate, other than a Domain Name with .onion in the rightmost label of the Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to a Domain Name with .onion in the right-most label of the Domain Name, the CA SHALL confirm, as of the date the Certificate was issued, the Applicant’s control over the .onion Domain Name in accordance with Appendix F.

(2) Mixed Character Set Domain Names: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization.

The proposer and endorsers of this Ballot may withdraw this Ballot at any time prior to completion of the final vote for approval, in which case the Ballot will not proceed further.

Motion ends

The procedure for this Maintenance Guideline ballot is as follows (exact start and end times may be adjusted to comply with applicable Bylaws and IPR Agreement):

BALLOT 180

Status: Final GuidelineStart time (22:00 UTC)End time (22:00 UTC)
Discussion (7 days)Oct. 25, 2016Nov. 1, 2016
Review Period (Chair to send Review Notice) (60 days). If Exclusion Notice(s) filed, PAG to be created and no further action until PAG recommendations received. If no Exclusion Notice(s) filed, proceed to:Nov. 1, 2016Dec. 31, 2016
Vote for approval (7 days)Dec. 31, 2016Jan. 7, 2017

Votes must be cast by posting an on-list reply to this thread on the Public list.

A vote in favor of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: /about/membership/members/

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently ten (10) members – at least ten members must participate in the ballot, either by voting in favor, voting against, or abstaining.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates: Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action; Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).