SC-058 passed

Ballot SC058: Require distributionPoint in sharded CRLs

Server Certificate Working Group

Key dates

Voting opened: 31 Oct 2022 3 years ago
Voting closed: 07 Nov 2022 3 years ago
Discussion opened: 22 Oct 2022 3 years ago
Discussion closed: 29 Oct 2022 3 years ago

Resources

⎇ GitHub diff https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..348756d64e863c19bcab404671abeeec985d6041 Redline

AI Summary

Generated 2026-06-23 21:40 UTC

Ballot overview

Ballot SC058 proposes a modification to the Baseline Requirements (Version 1.8.4) to ensure that all sharded CRLs contain the distributionPoint field.
The ballot states that RFC 5280’s language does not actually require the presence of the distributionPoint field, and the ballot augments the Baseline Requirements’ CRL Profile accordingly.

Motion and scope

The ballot modifies the Baseline Requirements for the issuance and management of publicly-trusted certificates, based on Version 1.8.4.
The ballot is described as a Final Maintenance Guideline.

Voting outcome

Certificate Issuers: 19 votes total; 19 YES; 0 NO; 0 ABSTAIN.
Certificate Consumers: 3 votes total; 3 YES; 0 NO; 0 ABSTAIN.
Bylaws requirements were reported as MET for both Certificate Issuers and Certificate Consumers.
Quorum requirement was reported as MET.

Effective requirement (as reflected in linked artifact text)

The linked artifact text adds a requirement that sharded or partitioned CRLs MUST have a distributionPoint.
The linked artifact text also states: Effective 2023-01-15, if a CRL does not contain entries for all revoked unexpired certificates issued by the CRL issuer, then it MUST contain a critical Issuing Distribution Point extension and MUST populate the distributionPoint field of that extension.

Model: gpt-5.4-nano Confidence: 0.86 Result: passed

Voting opened: 2022-10-31
Voting closed: 2022-11-07
Discussion opened: 2022-10-22
Discussion closed: 2022-10-29

Applicability and conditions

2023-01-15 — The CRL MUST contain a critical Issuing Distribution Point extension and MUST populate the distributionPoint field of that extension. If a CRL does not contain entries for all revoked unexpired certificates issued by the CRL issuer

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 19 yes 0 no 0 abstain

Certificate Consumers 3 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

22 Yes

0 No

0 Abstain

100% yes · 0% no

Proposers

Aaron Gable of ISRG / Let’s Encrypt, and endorsed by Clint Wilson of Apple, Corey Bonnell of DigiCert, and Dmitris Zacharopoulos of HARICA.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC058: Require distributionPoint in sharded CRLsBallot SC058: Require distributionPoint in sharded CRLsVoting Results Certificate Issuers 19 votes total, with no abstentions:

View on cabforum.org → Last fetched 16 hours ago