Ballot CSC-10 – WebTrust CSBR v2.0 Audit Criteria

Ballot overview

• Ballot CSC-10 updates Section 17.1 of the Code Signing Baseline Requirements to allow the new WebTrust CSBR 2.0 or later audit scheme.
• The ballot also keeps older WebTrust audit options for audit periods starting before 1 November 2020.
• It retains ETSI EN 319 411-1 as an acceptable audit scheme and preserves the Government CA internal audit-scheme allowance.

What changed

• The motion deletes the existing Section 17.1 audit-scheme text and replaces it with updated language.
• The new language adds a specific option for WebTrust for CAs v2.0 or newer together with WebTrust for Certification Authorities – Code Signing Baseline Requirements v2.0 or newer.
• The motion keeps the older WebTrust options for audit periods starting before 1 November 2020.
• The motion keeps the ETSI option and the Government CA exception.

Voting and IPR review

• The ballot has PASSED.
• The IPR review period ended and no exclusion notices were filed.
• The final documents state an effective date of 2021-09-13.

Compliance timing

• The effective date applies to the final documents and is the date CAs must use for the updated audit criteria.
• For audit periods starting before 1 November 2020, the older WebTrust audit combinations remain available.
• For audit periods starting on or after 1 November 2020, the new WebTrust CSBR 2.0 or later audit scheme is allowed.
• The ballot text also states there is no specific start date for the CSBR 2.0 audit scheme, and that it may be used for audit periods starting before 1 November 2021.