CSC-9 passed

Ballot CSC-9 – Spring 2021 Cleanup and Clarification

Code Signing Certificate Working Group

Key dates

Effective date: 09 Sep 2021 4 years ago
Voting opened: 20 Jul 2021 4 years ago
Voting closed: 27 Jul 2021 4 years ago
IPR review ends: 09 Sep 2021 4 years ago
Discussion opened: 20 Jul 2021 4 years ago
Discussion closed: 27 Jul 2021 4 years ago

Resources

± Redline https://cabforum.org/uploads/baseline_requirements_for_the_issuance_and_management_of_code_signing_csc-9_redline.pdf Baseline Requirements for the Issuance and Management of Code Signing Ballot CSC-9

AI Summary

Generated 2026-06-23 21:26 UTC

Ballot overview

Ballot CSC-9 is titled Spring 2021 Cleanup and Clarification.
It was a Code Signing Certificate Working Group ballot to clean up and clarify requirements in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.3.
The motion modified the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates version 2.3 according to the redline.

Outcome

Voting concluded and the ballot passed.
The page states that the review period ended and no exclusion notices were filed.
The Chair instructed the Vice Chair to create the guideline as voted.

Key requirements and changes

The redline artifact shows version 2.4 as the Spring 2021 cleanup version.
The Relevant Dates section in the artifact lists several compliance dates for specific sections:
- Appendix A requirements for RSA-3072 and SHA-1 restrictions for Code Signing Certificates, Root Certificates, Subordinate CA Certificates, and Timestamp Certificates.
- Appendix A requirements for SHA-1 digest algorithm restrictions for Timestamp tokens.
- Section 14.1 requirements applying after 2021-06-01 for Non-EV and EV Code Signing Certificates.
- Section 16.2 private key protection requirements applying after 2021-06-01 for Non-EV Code Signing Certificates as well as EV Code Signing Certificates.
- Section 11.1.1(4) identity verification method requirement effective 2021-11-01.
- Section 9.3.3 reserved identifier requirement for certain Subordinate CA Certificates effective 2022-03-31.

Effective date and applicability

The ballot page states that the final documents have an effective date of 9 September 2021.
The artifact also contains earlier and later section-specific dates, so the ballot includes phased and section-specific applicability.
The effective date in the ballot page applies to the final documents, while the artifact lists additional compliance dates for specific sections and certificate types.

Model: gpt-5.4-mini Confidence: 0.95 Result: passed

Effective date: 2021-09-09
Voting opened: 2021-07-20
Voting closed: 2021-07-27
IPR review ends: 2021-09-09
Discussion opened: 2021-07-20
Discussion closed: 2021-07-27

Applicability and conditions

2021-06-01 — CAs SHALL support minimum RSA-3072 for these certificate types and SHALL NOT support SHA-1 digest algorithm for Code Signing Certificates Appendix A requirements for Code Signing Certificates, Root Certificates, and Subordinate CA Certificates

2021-06-01 — CAs SHALL support minimum RSA-3072 for these certificate types and SHALL NOT support SHA-1 digest algorithm for Timestamp Certificates Appendix A requirements for Timestamp Certificates, Root Certificates, and Subordinate CA Certificates

2022-04-30 — CAs SHALL NOT support SHA-1 digest algorithm for Timestamp tokens Appendix A requirements for Timestamp tokens

2021-06-01 — After this date, the CA shall meet the requirements of EV Guidelines Section 14.1 for Non-EV and EV Code Signing Certificates Section 14.1 for Non-EV and EV Code Signing Certificates

2021-06-01 — Signing Services shall protect private keys in a FIPS 140-2 level 2 or equivalent crypto module Section 16.2 for EV Code Signing Certificates and, after this date, Non-EV Code Signing Certificates

2021-11-01 — The method used to verify the identity of the Certificate Requester SHALL be per section 11.1.2 Section 11.1.1(4)

2022-03-31 — Such Subordinate CA Certificates must include the reserved identifier specified in Section 9.3.1 Section 9.3.3 for Subordinate CA Certificates issued for Subordinate CA that issues Timestamping Certificates and is an Affiliate of the Issuing CA

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Proposers

Bruce Morton, and endorsed by Ian McMillan of Microsoft and Corey Bonnell of DigiCert.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot CSC-9 – Spring 2021 Cleanup and ClarificationBallot CSC-9 – Spring 2021 Cleanup and ClarificationIPR Review Results The review period has ended and no exclusion notices were filed.

View on cabforum.org → Last fetched 15 hours ago