Ballot CSC-31: Maximum Validity Reduction

Outcome

• The ballot passed.
• The voting period completed with the ballot marked PASSED.
• The bylaws requirements listed on the page were all marked MET, including Certificate Issuer support, Certificate Consumer support, at least one affirmative vote in each category, and quorum.
• The IPR period completed with no IPR Exclusion Notices filed.
• The ballot was adopted as of 2025-11-17.
• CSC BRs version 3.10.0 were published following adoption.

What the ballot changes

• The ballot updates the Code Signing Baseline Requirements from version 3.9.
• It reduces the maximum validity for code signing certificates from 39 months to 460 days.
• The GitHub compare shows the prior rule that a Code Signing Certificate issued to a Subscriber or Signing Service must not exceed 39 months was replaced.
• The new rule states that for all Code Signing Certificates issued after 2026-03-01, the validity period for the Code Signing Certificate issued to a Subscriber must not exceed 460 days.

Scope and applicability

• The ballot page summary says the change is effective 2026-03-01.
• The redline text applies the new 460-day limit to all Code Signing Certificates issued after 2026-03-01.
• The changed sentence in the redline refers to certificates issued to a Subscriber.

Process dates

• Discussion ran from 2025-09-16 18:00 UTC to 2025-10-06 18:00 UTC.
• Voting ran from 2025-10-06 18:00 UTC to 2025-10-13 18:00 UTC.
• The IPR review period ran from 2025-10-14 08:00:00 UTC to 2025-11-13 08:00:00 UTC.

Voting results

• Certificate Issuers cast 9 votes total: 7 YES, 0 NO, and 2 ABSTAIN.
• The YES votes from Certificate Issuers were Asseco Data Systems SA (Certum), DigiCert, eMudhra, HARICA, IdenTrust, Sectigo, and SSL.com.
• The ABSTAIN votes from Certificate Issuers were Actalis S.p.A. and GlobalSign.
• Certificate Consumers cast 1 vote total: 1 YES, 0 NO, and 0 ABSTAIN.
• The Certificate Consumer YES vote was Microsoft.