CSC-15 passed

Ballot CSC-15 – Summer 2022 Cleanup

Code Signing Certificate Working Group

Key dates

Effective date: 19 Sep 2022 3 years ago
Voting opened: 19 Sep 2022 3 years ago
Voting closed: 18 Sep 2022 3 years ago
IPR review ends: 19 Sep 2022 3 years ago

Resources

⎇ GitHub diff https://github.com/cabforum/code-signing/compare/e345af02746bccf5d3c99506e492b5021714548a...4af5f82dcf343816eeec3ec218c1c7c818572aa7 https://github.com/cabforum/code-signing/compare/e345af02746bccf5d3c99506e492b5021714548a…4af5f82dcf343816eeec3ec218c1c7c818572aa7

± Redline https://cabforum.org/uploads/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v3.1_redline.pdf here

✉ Mailing list https://lists.cabforum.org/pipermail/cscwg-public/2022-September/000876.html here

AI Summary

Generated 2026-06-23 21:27 UTC

Ballot overview

Ballot CSC-15, Summer 2022 Cleanup, updated the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates.
The ballot page says the purpose was to correct minor typographical and formatting errors identified during review of ballot CSC-14.
The page states that no normative changes were introduced by the ballot.

Voting and review

The review period ran from 2022-08-18 at 1400 Eastern Time to 2022-09-18 at 1400 Eastern Time.
The IPR review period ended on 2022-09-19, 2022, and no exclusion notices were filed.
The final documents were available with an effective date of 2022-09-19.

Document changes shown in the linked diff

The document version changed from 3.0.0 to 3.1.0.
The revision table added CSC-XX, Summer 2022 Clean-up, with an effective date shown as XX YY 2022 in the diff.
A wording fix changed a duplicated phrase in the Hardware Crypto Module requirement.
The section on Subscriber Private Key verification was reformatted, and the requirement text retained the date Effective November, 15, 2022 for Code Signing Certificates.

Requirement timing visible in the evidence

For Code Signing Certificates, CAs SHALL ensure that the Subscriber’s Private Key is generated, stored, and used in a suitable Hardware Crypto Module that meets or exceeds the specified requirements.
This requirement is shown as effective November 15, 2022.
The evidence also states that CAs may satisfy this requirement using one of the listed methods in section 6.2.7.4.2.
The evidence states that any other method used to satisfy the private key protection requirements had to be proposed to the Code Signing Working Group for inclusion until November 15, 2022, after which only CA/Browser Forum approved methods would be allowed.

Ballot outcome

The evidence shows the IPR review period ended and no exclusion notices were filed.
The ballot page does not explicitly state the voting result in the supplied text, but the evidence supports that the ballot completed review and produced final documents.

Model: gpt-5.4-mini Confidence: 0.78 Result: passed

Effective date: 2022-09-19
Voting opened: 2022-09-19
Voting closed: 2022-09-18
IPR review ends: 2022-09-19

Applicability and conditions

2022-11-15 — CAs must ensure the Subscriber’s Private Key is generated, stored, and used in a suitable Hardware Crypto Module meeting or exceeding the specified requirements Code Signing Certificates

2022-11-15 — CAs had to propose other methods to the Code Signing Working Group for inclusion by this date; after this date, only CA/Browser Forum approved methods would be allowed Any other method used to satisfy Subscriber private key protection requirements

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Corey Bonnell of DigiCert and endorsed by Ian McMillan of Microsoft and Dimitris Zacharopoulos of HARICA.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot CSC-15 – Summer 2022 CleanupBallot CSC-15 – Summer 2022 CleanupResults of Review Period (Mailing list post is available here.)

View on cabforum.org → Last fetched 15 hours ago