CA/Browser Forum
Home » Posts » Ballot SC-75 - Pre-sign linting

Ballot SC-75 - Pre-sign linting

Results of Voting

Certificate Issuers 25 votes total, with no abstentions:

• 25 Issuers voting YES: Actalis, Buypass, Certum (Asseco), Chunghwa Telecom, D-TRUST, DigiCert, Disig, eMudhra, Fastly, GlobalSign, GoDaddy, HARICA, IdenTrust, iTrusChina, JPRS, Kamu SM, Let’s Encrypt / ISRG, OISTE, SECOM, Sectigo, SwissSign, Telia Company, TrustAsia, TWCA, VikingCloud

• 0 Issuers voting NO

• 0 Issuers ABSTAIN

Certificate Consumers 3 votes total, with no abstentions:

• 3 Consumers voting YES: Apple, Google, Mozilla

• 0 Consumers voting NO

• 0 Consumers ABSTAIN

Bylaws Requirements

  1. Bylaw 2.3(6) requires:
  • In order for a ballot to be adopted by the Forum, two‐thirds (2/3) or more of the votes cast by the Voting Members in the Certificate Issuer category must be in favour of the ballot. This requirement was MET.
  • at least fifty percent (50%) plus one (1) of the votes cast by the Voting Members in the Certificate Consumer category must be in favour of the ballot. This requirement was MET.
  • At least one (1) Voting Member in each category must vote in favour of a ballot for the ballot to be adopted. This requirement was MET.
  1. Bylaw 2.3(7) requires:
  • A ballot result will be considered valid only when more than half of the number of currently active Voting Members has participated. The number of currently active Voting Members is the average number of Voting Member organizations that have participated in the previous three (3) Forum Meetings and Forum Teleconferences.
  • the quorum was 13 for this ballot. This requirement was MET.

Purpose of the Ballot

There have been numerous compliance incidents publicly disclosed by CAs in which they failed to comply with the technical requirements described in standards associated with the issuance and management of publicly-trusted TLS Certificates. However, the industry has developed open-source tools, linters, that are free to use and can help CAs avoid certificate misissuance. Using such linters before issuing a precertificate from a Publicly-Trusted CA (pre-issuance linting) can prevent the mis-issuance in a wide variety of cases.

The following motion has been proposed by Dimitris Zacharopoulos of HARICA and endorsed by Corey Bonnell of Digicert and Ben Wilson of Mozilla.

You can view the GitHub pull request representing this ballot here.

Motion

Motion Begins

MODIFY the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” based on Version 2.0.5 as specified in the following redline: • https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db…d809c41bc063109e15d46bfe1b5ad6403d823381

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  • Start time: 2024-06-12 06:30:00 UTC
  • End time: on or after 2024-06-19 06:30:00 UTC

Vote for approval (7 days)

  • Start time: 2024-06-19 10:00:00 UTC
  • End time: 2024-06-26 10:00:00 UTC
Latest releases
Code Signing Requirements
v3.7 - Mar 4, 2024

S/MIME Requirements
v1.0.4 - Ballot SMC06 - May 11, 2024

Ballot SMC06: Post implementation clarification and corrections

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Related posts
Tags
Ballot Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).