← CABF Ballot Browser
Ballot-189 passed

Ballot 189 – Amend Section 6.1.7 of Baseline Requirements

Server Certificate Working Group

Key dates

Effective date
13 May 2017 9 years ago
Voting opened
06 Apr 2017 9 years ago
Voting closed
13 Apr 2017 9 years ago
IPR review ends
13 May 2017 9 years ago
Discussion opened
30 Mar 2017 9 years ago
Discussion closed
06 Apr 2017 9 years ago

AI Summary

Generated 2026-06-23 21:32 UTC

Ballot overview

  • Ballot 189 amends Section 6.1.7 of the Baseline Requirements.
  • The ballot clarifies that Root CA private keys are not to be used to sign end-entity certificates, with specific exceptions.
  • It also clarifies that the exception list does not include time stamping certificates.
  • The motion further clears exception language for 1024-bit RSA Subscriber Certificates and for testing products with certificates issued by a Root.

Voting result

  • The voting period ended.
  • 21 CA votes were cast in favor, with 0 no votes and 0 abstentions.
  • 3 browser votes were cast in favor, with 0 no votes and 0 abstentions.
  • Quorum was met.
  • The ballot met the approval requirements for both CAs and browsers.
  • The ballot passes.

Timing and implementation

  • Discussion period: 2017-03-30 to 2017-04-06.
  • Voting period: 2017-04-06 to 2017-04-13.
  • If the vote approves the ballot, there is a 30-day review period after the Chair sends the Review Notice.
  • If no Exclusion Notices are filed, the ballot becomes effective at the end of the Review Period.
  • The proposed changes become Effective 30 days after the ballot passes.

Scope of the proposed section 6.1.7 changes

  • Root Certificates may not be used to sign Certificates except for:
    • Self-signed Certificates representing the Root CA itself.
    • Certificates for Subordinate CAs and Cross Certificates.
    • Certificates for infrastructure purposes, including administrative role certificates, internal CA operational device certificates, and OCSP Response verification certificates.
  • The motion also states that the Root CA private key restriction applies to Root Keys in a hierarchy that issues SSL Certificates.
  • The ballot removes the prior exception language for:
    • Certificates issued solely for testing products with Certificates issued by a Root CA.
    • Subscriber Certificates under the listed 1024-bit RSA and deployment conditions.

Result interpretation

  • The ballot page states that Ballot 189 passes.
  • The page also states that if Exclusion Notices are filed, ballot approval is rescinded and a PAG is to be created.
Model: gpt-5.4-mini Confidence: 0.95 Result: passed
Effective date
2017-05-13
Voting opened
2017-04-06
Voting closed
2017-04-13
IPR review ends
2017-05-13
Discussion opened
2017-03-30
Discussion closed
2017-04-06
Applicability and conditions

2017-05-13 — The ballot becomes effective at the end of the Review Period If no Exclusion Notices are filed after the Review Notice and the ballot completes the 30-day review period

2017-05-13 — The changes become Effective 30 days after the ballot passes For the proposed changes in the motion

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Dimitris Zacharopoulos of HARICA and endorsed by Bruce Morton of Entrust and Jeremy Rowley of Digicert

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot 189 – Amend Section 6.1.7 of Baseline RequirementsBallot 189 – Amend Section 6.1.7 of Baseline RequirementsResults on Ballot 189 – Amend Section 6.1.7 of Baseline Requirements

View on cabforum.org → Last fetched 16 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action