Server Certificate Working Group Ballots

Ballots by Status

Voting Period

IPR Review Period

Discussion Period

• SC099: Improve Recording of Validation Method
• SC098: Process RFC 8657 CAA Parameters (Wayne)

Draft / Under Consideration

• SC087: Registration Number Improvement for EV Certificates

Passed

• SC095v3: Clean-up 2025
• SC097: Sunset all remaining use of SHA-1 signatures in Certificates and CRLs
• SC096: Carve-out for DNSSEC verification logging requirements
• SC094v2: DNSSEC exception in email DCV methods
• SC090: Gradually sunset all remaining email-based, phone-based, and ‘crossover’ validation methods from Sections 3.2.2.4 and 3.2.2.5
• SC091: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addresses
• SC088v3: DNS TXT Record with Persistent Value DCV Method
• SC092: Sunset use of Precertificate Signing CAs
• SC089: Mass Revocation Planning
• SC086v3: Sunset the Inclusion of IP Reverse Address Domain Names
• SC081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods
• SC085: Require DNSSEC for CAA and DCV Lookups
• SC084: DNS Labeled with ACME Account ID Validation Method
• SC083: Winter 2024-2025 Cleanup Ballot
• SC080v3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods
• SC079v2: Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate
• SC076v2: Clarify and Improve OCSP Requirements
• SC078: Subject organizationName alignment for DBA / Assumed Name
• SC077: Update WebTrust Audit name in Section 8.4 and References
• SC075: Pre-sign linting
• SC073: Compromised and Weak Keys
• SC072: Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED
• SC068: Allow VATEL and VATXI for organizationIdentifier
• SC067: Require Multi-Perspective Issuance Corroboration
• SC069: Clarify router and firewall logging requirements
• SC065: Convert EVGs into RFC3647 format
• SC063: Make OCSP optional, require CRLs and incentivize automation
• SC064: Temporary Moratorium on New Certificate Consumer Memberships
• SC066v4: Fall 2023 clean-up
• SC062: Certificate profiles update
• SC061: New CRL Entries must have a Revocation Reason Code
• SC058: require distributionPoint in sharded CRLs
• SC056: 2022 Cleanup

Cancelled

• SC095: Clean-up 2025
• SC088v2: DNS TXT Record with Persistent Value DCV Method
• SC071: Subscriber Agreement and Terms of Use Consolidation
• SC076: Clarify and Improve OCSP Requirements

Failed

• SC082: Clarify CA Assisted DNS Validation under 3.2.2.4.7
• SC074: Clarify CP/CPS structure according to RFC 3647
• SC070: Clarify the use of DTPs for Domain Control Validation
• SC059: Weak key guidance
• SC060: Membership of ZT Browser

Information about Ballots

• Ballot SC095v3: Clean-up 2025
• Ballot SC097: Sunset all remaining use of SHA-1 signatures in Certificates and CRLs
• Ballot SC094v2: DNSSEC exception in email DCV methods
• Ballot SC096: Carve-out for DNSSEC verification logging requirements
• Ballot SC-090: Gradually sunset all remaining email-based, phone-based, and ‘crossover’ validation methods from Sections 3.2.2.4 and 3.2.2.5
• Ballot SC-091: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addresses
• Ballot SC-086v3: Sunset the Inclusion of IP Reverse Address Domain Names
• Ballot SC-088v3: DNS TXT Record with Persistent Value DCV Method
• Ballot SC-092: Sunset use of Precertificate Signing CAs
• Ballot SC-089: Mass Revocation Planning
• Ballot SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups
• Ballot SC081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods
• Ballot SC084: DNS Labeled with ACME Account ID Validation Method
• Ballot SC083v3: Winter 2024-2025 Cleanup Ballot
• Ballot SC082: Clarify CA Assisted DNS Validation under 3.2.2.4.7
• Ballot SC080v3: Sunset the use of WHOIS to identify Domain Contacts and relying DCV Methods
• Ballot SC076v2: Clarify and improve OCSP requirements
• Ballot SC079v2: Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate
• Ballot SC078: Subject organizationName alignment for DBA / Assumed Name
• Ballot SC077: Update WebTrust Audit name in Section 8.4 and References
• Ballot SC067v3: Require domain validation and CAA checks to be performed from multiple Network Perspectives Corroboration
• Ballot SC075: Pre-sign linting
• Ballot SC073: Compromised and weak keys
• Ballot SC072: Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED
• Ballot SC065v2: Convert EVGs into RFC 3647 format
• Ballot SC069: Clarify router and firewall logging requirements
• Ballot SC070: Clarify the use of DTPs for Domain Control Validation
• Ballot SC068: Allow VATEL and VATXI for organizationIdentifier
• Ballot SC066v4: Fall 2023 Clean up
• Ballot SC063v4: Make OCSP Optional, Require CRLs, and Incentivize Automation
• Ballot SC059v2: Weak key guidance
• Ballot SC064: Temporary Moratorium on New Certificate Consumer Memberships
• Ballot SC062v2: Certificate profiles update
• Ballot SC061v4: New CRL Entries must have a Revocation Reason Code
• Ballot SC060: Membership of ZT Browser
• Ballot SC058: Require distributionPoint in sharded CRLs
• Ballot SC056: 2022 Cleanup
• Ballot SC054: Onion Cleanup
• Ballot SC051: Reduce and Clarify Audit Log and Records Archival Retention Requirements
• Ballot SC053: Sunset for SHA-1 OCSP Signing
• Ballot SC052v2: Specify CRL Validity Intervals in Seconds
• Ballot SC050: Remove the requirements of section 4.1.1
• Ballot SC049: Special Election for Server Certificate Working Group Vice-Chair
• Ballot SC048v2: Domain Name and IP Address Encoding
• Ballot SC047v2: Sunset subject:organizationalUnitName
• Ballot SC045: Wildcard Domain Validation
• Ballot SC046: Sunset the CAA exception for DNS Operator
• Ballot SC044: Clarify Acceptable Status Codes
• Ballot SC042: 398-day Re-use Period
• Ballot SC043: Clarify Acceptable Status Codes
• Ballot SC041: Reformatting the BRs, EVGs, and NCSSRs
• Ballot SC037: Election of Server Certificate Working Group Vice Chair
• Ballot SC309v3: Definition of Critical Vulnerability
• Ballot SC040: Security Requirements for Air-Gapped CA Systems
• Ballot SC038: Alignment of Record Archival
• Special Ballot CSCWG-5: Election of Code Signing Certificate Working Group Vice Chair
• Ballot SC034: Account Management
• Ballot CSCWG-3: Election of Code Signing Certificate Working Group Chair
• Ballot SC036: Election of Server Certificate Working Group Chair
• Ballot SC028: Logging and Log Retention
• Ballot SC035: Cleanups and Clarifications
• Ballot SC033: TLS Using ALPN Method
• Ballot SC032: NCSSRs Zones
• Ballot CSCWG-2: Combine Baseline and EV Code Signing Documents
• Ballot SC030v2: Disclosure of Registration / Incorporating Agency
• Ballot SC031: Browser Alignment
• Ballot SC029v3: System Configuration Management
• Ballot SC026v2: Pandoc-Friendly Markdown Formatting Changes
• Ballot SC020: System Configuration Management
• Ballot SC027v3: Version 3 Onion Certificates
• Ballot SC025: Define New HTTP Domain Validation Methods v2
• Ballot SC023v3: Precertificates
• Ballot SC024v2: Fall Cleanup
• Ballot SC021: The Network and Certificate Systems Security Requirements section 3 (Log Integrity Controls)
• Ballot SC022v2: Reduce Certificate Lifetimes
• Ballot FORUM-9: Bylaws and Server Certificate Working Group Charter Updates
• Ballot SC019: Phone Contact with DNS CAA Phone Contact v2
• Ballot SC017v7: Alternative registration numbers for EV certificates
• Ballot SC018: Phone Contact with DNS CAA Phone Contact
• Ballot SC016: Other Subject Attributes
• Ballot SC007: Update IP Address Validation Methods
• Ballot SC015: Remove Validation Method Number 9
• Ballot SC014: Updated Phone Validation Methods
• Ballot SC013: CAA Contact Property and Associated E-mail Validation Methods
• Ballot SC012: Sunset of Underscores in dNSNames
• Ballot SC004: CAA Contact Property and Associated E-mail Validation Method
• Ballot Forum-7: Update ETSI requirements in SCWG Charter
• Ballot SC010: Establishing the Network Security Subcommittee of the SCWG
• Ballot SC009: Establish the Validation Subcommittee of the SCWG
• Ballot SC005: Election of Wayne Thayer as SCWG Vice Chair
• Ballot SC011: Update ETSI requirements in the SCWG Charter
• Ballot SC006: Revocation Timeline Extension
• Ballot SC008: Election of Dimitris Zacharopoulos as SCWG Chair
• Ballot SC003: Two-Factor Authentication and Password Improvements
• Ballot SC001: [Empty]
• Ballot SC002: Validating Certificates via CAA CONTACT
• Ballot 221 – Two-Factor Authentication and Password Improvements
• Ballot 224: WHOIS and RDAP
• Ballot 223 – Update BR Section 8.4 for CA audit criteria
• Ballot 222 – Remove “Any other method” for IP Address validation
• Ballot 219 – Clarify handling of CAA Record Sets with no “issue”/”issuewild” property tag
• Ballot 220 – Minor Cleanups (Spring 2018)
• Ballot 218 – Remove validation methods 1 and 5
• Ballot 217 – Sunset RFC 2527
• Ballot 208 – dnQualifiers
• Ballot 207 – ASN.1 Jurisdiction in EV Guidelines
• Ballot 209 – EV Liability
• Ballot 215 – Fix Ballot 190 Errata
• Ballot 213 – Revocation Timeline Extension
• Ballot 211 – Resolution of Approval for WTCA v2.1 Changes
• Ballot 214 – CAA Discovery CNAME Errata
• Ballot 190 – Revised Validation Requirements
• Ballot 212 – Canonicalise formal name of the Baseline Requirements
• Ballot 210 – Misc. Changes to the NCSSR
• Ballot 202 – Underscore and Wildcard Characters
• Ballot 204 – Forbid DTPs from doing Domain/IP Ownership
• Ballot 192 – Notary Revision
• Ballot 201 – .onion Revisions
• Ballot 191 – Clarify Place of Business Information
• Ballot 199 – Require commonName in Root and Intermediate Certificates
• Ballot 198 – .Onion Revisions
• Ballot 197 – Effective Date of Ballot 193 Provisions
• Ballot 196 – Define “Audit Period”
• Ballot 195 – CAA Fixup
• Ballot 189 – Amend Section 6.1.7 of Baseline Requirements
• Ballot 194 – Effective Date of Ballot 193 Provisions
• Ballot 193 – 825-day Certificate Lifetimes
• Ballot 187 – Make CAA Checking Mandatory
• Ballot 188 – Clarify use of term “CA” in Baseline Requirements
• Ballot 185 – Limiting the Lifetime of Certificates
• Ballot 186 – Limiting the Reuse of Validation Information
• Ballot 184 – RFC822 Names and otherNames
• Ballot 182 – Readopting BR 3.2.2.4 (Part 2)
• Ballot 181 – Readopting BR 3.2.2.4 (Part 1)
• Ballot 180 – Readopting the BRs, EVGL, EV Code Signing, and NCSSR Guidelines with Amendments
• Ballot 176 – Addition of CNAME verification to domain validation methods
• Ballot 175 – Addition of given name and surname
• Ballot 174 – Reform of Requirements Relating to Conflict with Local Laws
• Ballot 169 – Revised Validation Requirements
• Ballot 173 – Removal of requirement to cease use of private key due to incorrect certificate info
• Ballot 171 – Updating the ETSI standards in the CABF documents
• Ballot 170 – Amend Section 5.1 of Baseline Requirements
• Ballot 168 – Baseline Requirement Corrections – revised
• Ballot 167 – Baseline Requirements Corrections
• Ballot 164 – Certificate Serial Number Entropy
• Ballot 163 – Fix Errata in EV Guidelines 11.2.1
• Ballot 162 – Sunset of Exceptions
• Ballot 161 – Notification of incorrect issuance
• Ballot 160 – Amend Section 4 of Baseline Requirements
• Ballot 159 – Amend Section 4 of Baseline Requirements
• Ballot 156 – Amend Sections 1 and 2 of Baseline Requirements
• Ballots 154 and 155 – Convert to RFC 3647 Framework and GitHub
• Ballot 155 – Convert Network and Certificate System Security Requirements to RFC 3647 Framework and GitHub
• Ballot 153 – Short-Lived Certificates
• Ballot 152 – SHA-1 Deprecation
• Ballot 151 – Addition of Optional OIDs for Indicating Level of Validation
• Ballot 150 – OID Revisions
• Ballot 147 – Attorney Accountant Letter Changes
• Ballot 146 – Convert Baseline Requirements to RFC 3647 Framework
• Ballot 148 – Issuer Field Correction
• Ballot 145 – Operational Existence for Government Entities
• Ballot 144 – Validation rules for .onion names
• Ballot 143 – Formalization of Validation Working Group
• Ballot 142 – Elimination of EV Insurance Requirement
• Ballot 141 – Elimination of EV Insurance Requirement; Financial Responsibility for Mis-Issued Certificates
• Ballot 140 – Short-Life Certificates
• Ballot 133 – Insurance Requirements for EV Issuers
• Ballot 135 – ETSI Auditor Qualifications (passed)
• Ballot 134 – Application of RFC 5280 to Pre-certificates
• Ballot 123 – Reuse of Information (passed)
• Ballot 118 – SHA-1 Sunset (passed)
• Ballot 125 – CAA Records (passed)
• Ballot 131 – Update to Verified Method of Communication (passed)
• Ballot 129 – PSL in BR 11.1.3 (passed)
• Ballot 126 – Operational Existence (passed)
• Ballot 127 – Verification of Agency in EV Guidelines 11.7.2 (passes)
• Ballot 128 – CP Review Working Group (passes)
• Ballot 124 – Business Entity Clarification (passed)
• Ballot 120 – Affiliate Authority to Verify Domain (passed)
• Ballot 122 – Verified Method of Communication (failed)
• Ballot 121 – EV Guidelines Insurance Requirements(failed)
• Ballot 112 – Replace Definition of “Internal Server Name” with “Internal Name”(passed)
• Ballot 119 – Remove “OfIncorporation” from OID descriptions in EVG 9.2.5(passed)
• Ballot 114 – Improvements to the EV Definitions(passed)
• Ballot 89 – Publish Recommendations for the Processing of EV SSL Certificates v.2(passes)
• Ballot 113 – Revision to QIIS in EV Guidelines(passes)
• Ballot 111 – Accelerate Max Certificate Lifetime Reduction Timetable
• Ballot 107 – Removing Version Numbers to WebTrust and ETSI Standards From CABF Guidelines
• Ballot 108 – Defining the Scope of the Baseline Requirements
• Ballot 106 – Extended Deadline to Prohibit OCSP “Good” Response for Non-Issued Certificates
• Ballot 105 – Technical Constraints for Subordinate Certificate Authorities Yielding Broader and Safer PKI Adoption.
• Ballot 104 – EV Domain Validation
• Ballot 103 – OCSP AIA and TLS Feature Extension
• Ballot 101 – EV 11.10.2 Accountants
• Ballot 102 – BR 9.2.3 domainComponent
• Ballot 100 – Extend Deadline – OCSP Good Response
• Ballot 99 – Add DSA Keys
• Ballot 97 – Prevention of Unknown Certificate Contents
• Ballot 96 – Wildcard Certificates and New gTLDs
• Ballot 92 – Subject Alternative Names
• Ballot 93 – Reasons for Revocation (BR issues 6, 8, 10, 21)
• Ballot 88 – BR_9_2_4_Errata-ISO3166
• Ballot 86 – Errata plus ISO3166
• Ballot 84 – ISO 3166-1 User-assigned codes
• Ballot 83 – Adopt Network and Certificate System Security Requirements
• Ballot 80 – Response for Non-Issued Certificates
• Ballot 81 – Required Format for Amendments to Existing Standards or Requirements
• Ballot 69 – Individual Validation Policy
• Ballot 78 – Updates to Domain and IP Validation, High Risk Requests, and Data Source in the Baseline Requirements
• Ballot 76 – Public Review of Network Security Controls
• Ballot 75 – NameConstraints Criticality Flag
• Ballot 74 – Updates to Domain and IP Validation, High Risk Requests, and Data Source in the Baseline Requirements
• Ballot 72 – Reorganize EV Documents
• Ballot 71 – Auditor Qualification Requirements
• Ballot 68- No Unknown Contents
• Ballot 95 – Guidance on Deprecated Internal Names
• Ballot 64 Revised – Recognized Existence
• Ballot 65 – QIIS Definition Update
• Ballot 62 – Adopt Baseline Requirements Draft 50
• Ballot 61 – Verification Requirements for Parent Subsidiary
• Ballot 60 – Verification Requirements for Parent Subsidiary
• Ballot 58 – Operational Existence Through Parent Subsidiary
• Ballot 57 – Verifying Agency Through Confirmation of Employment Using QIIS or QGIS
• Ballot 59 – Public Review of v. 30b of the Baseline Requirements
• Ballot 56 – QGIS Contact Information
• Ballot 55 – Romanization of Japanese Corporate Names
• Ballot 54 – EV 1-3 Adoption
• Ballot 53 – Contract Signer Self-Asserted Authority
• Ballot 52 – Contract Signer Self-Asserted Authority
• Ballot 51 – Notaries
• Ballot 50 – 64-Character “O” Field
• Ballot 49 – New Certificate for Existing Subscriber
• Ballot 48 – Telephone Number at Place of Business
• Ballot 47 – Document Aging
• Ballot 46 – Audit Report Availability Timing
• Ballot 45 – Verification of Authority
• Ballot 44 – IFAC Membership
• Ballot 43 – Business Categories
• Ballot 42 – Principal Individual
• Ballot 41 – Auditing Report Publication
• Ballot 40 – Terms of Use
• Ballot 37 – Another QGIS
• Ballot 36 – Public WHOIS Information
• Ballot 35 – Role Requirements
• Ballot 34 – Adopt EV Guidelines draft 03 as Version 1.2
• Ballot 30 – Reserved Domain Names
• Ballot 31 – Allow ETSI 102 042
• Ballot 33- Subject Attribute Requirements
• Ballot 32 – Revocation for Well-Known Private Key
• Ballot 29 – Guidelines Renumbering