← CABF Ballot Browser
CSC-7v2 passed

Ballot CSC-7v2: Update to merge EV and Non-EV clauses

Code Signing Certificate Working Group

Key dates

Effective date
01 Jun 2021 5 years ago
Voting opened
25 Jan 2021 5 years ago
Voting closed
01 Feb 2021 5 years ago
Discussion opened
14 Jan 2021 5 years ago
Discussion closed
25 Jan 2021 5 years ago

Resources

± Redline https://cabforum.org/uploads/baseline_requirements_for_the_issuance_and_management_of_code_signing.v2.2_redline.pdf Baseline Requirements for the Issuance and Management of Code Signing v2.2 – redline.pdf
Document https://cabforum.org/uploads/baseline_requirements_for_the_issuance_and_management_of_code_signing.v2.2.pdf Baseline Requirements for the Issuance and Management of Code Signing v2.2.pdf

AI Summary

Generated 2026-06-23 21:41 UTC

Ballot overview

  • Ballot CSC-7v2 updates the Code Signing Baseline Requirements to merge EV and Non-EV clauses.
  • The ballot says the CSC-2 merger had been done without technical changes, but left some sections with different text for Non-EV and EV certificates.
  • It also notes that some items were intentionally left different for EV, and that the changes were discussed in bi-weekly meetings.
  • Additional minor changes included adding a table for document revision and history, adding a table for effective dates within the BRs, and correcting errors from the merger.

Vote result

  • Voting closed and the ballot passed.
  • CAs voting in favor: Actalis, DigiCert, Entrust, GDCA, GlobalSign, GoDaddy, HARICA.
  • CAs opposed: none.
  • CAs abstaining: none.
  • Certificate Consumers voting in favor: Microsoft.
  • Certificate Consumers opposed: none.
  • Certificate Consumers abstaining: none.

What the motion changed

  • The motion modifies Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates version 2.1 according to the attached redline.
  • The linked version 2.2 document shows relevant dates for several requirements, including RSA-3072 support, SHA-1 restrictions, and private key protection requirements.

Relevant dates stated in the evidence

  • 2021-01-14: discussion start time.
  • 2021-01-25: discussion end time not before this date, and vote start time.
  • 2021-02-01: vote end time.
  • 2021-06-01: compliance date for Appendix A (1), Appendix A (2), Section 14.1, and Section 16.2.
  • 2022-04-30: compliance date for Appendix A (3).
  • 1 July 2021: effective date listed in the revisions table for CSC-7.

Compliance requirements shown in the linked document

  • By 2021-06-01, CAs must support minimum RSA-3072 for Code Signing Certificates, Root Certificates, and Subordinate CA Certificates, and must not support SHA-1 for Code Signing Certificates.
  • By 2021-06-01, CAs must support minimum RSA-3072 for Timestamp Certificates, Root Certificates, and Subordinate CA Certificates, and must not support SHA-1 for Timestamp Certificates.
  • By 2022-04-30, CAs must not support SHA-1 digest algorithm for Timestamp tokens.
  • After 2021-06-01, CAs must meet EV Guidelines Section 14.1 for Non-EV and EV Code Signing Certificates.
  • For EV Code Signing Certificates, Signing Services must protect private keys in a FIPS 140-2 level 2 or equivalent crypto module; after 2021-06-01, the same protection applies to Non-EV Code Signing Certificates.
Model: gpt-5.4-mini Confidence: 0.98 Result: passed
Effective date
2021-06-01
Voting opened
2021-01-25
Voting closed
2021-02-01
Discussion opened
2021-01-14
Discussion closed
2021-01-25
Applicability and conditions

2021-06-01 — CAs must support minimum RSA-3072 and must not support SHA-1 digest algorithm for Code Signing Certificates Appendix A (1) applies to Code Signing Certificates, Root Certificates, and Subordinate CA Certificates

2021-06-01 — CAs must support minimum RSA-3072 and must not support SHA-1 digest algorithm for Timestamp Certificates Appendix A (2) applies to Timestamp Certificates, Root Certificates, and Subordinate CA Certificates

2022-04-30 — CAs must not support SHA-1 digest algorithm for Timestamp tokens Appendix A (3) applies to Timestamp tokens

2021-06-01 — CAs must meet EV Guidelines Section 14.1 for Non-EV and EV Code Signing Certificates Section 14.1 applies to Non-EV and EV Code Signing Certificates after this date

2021-06-01 — Signing Services must protect private keys in a FIPS 140-2 level 2 or equivalent crypto module Section 16.2 applies to EV Code Signing Certificates, and after this date also to Non-EV Code Signing Certificates

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Bruce Morton of Entrust, and endorsed by Dimitris Zacharopoulos of HARICA and Dean Coclin of DigiCert.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot CSC-7v2: Update to merge EV and Non-EV clausesBallot CSC-7v2: Update to merge EV and Non-EV clausesVoting has closed on this ballot and the results are as follows:

View on cabforum.org → Last fetched 15 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action