SC-063v4 passed

Ballot SC063v4: Make OCSP Optional, Require CRLs, and Incentivize Automation

Server Certificate Working Group

Key dates

Effective date: 15 Mar 2024 2 years ago
Voting opened: 06 Jul 2023 2 years ago
Voting closed: 13 Jul 2023 2 years ago
Discussion opened: 22 Jun 2023 3 years ago
Discussion closed: 06 Jul 2023 2 years ago

Resources

⎇ GitHub diff https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..b8a0453e59ff342779d5083f2f1f8b8b5930a66a View the Redline changes here

⤓ Document https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf specifications

AI Summary

Generated 2026-06-23 21:40 UTC

Result and adoption

Voting results show the ballot was adopted: Bylaw 2.3(6) requirements were MET for Certificate Issuers, and Bylaw 2.3(6) requirements were MET for Certificate Consumers.
Quorum requirement under Bylaw 2.3(7) was MET.

Purpose of Ballot SC-063v4

Updates the Baseline Requirements to make OCSP services optional for CAs.
Does not prohibit CAs from continuing to support OCSP; if a CA continues supporting OCSP, the same requirements apply as they exist today.

CRL-related changes

CRLs must conform to the proposed profile.
CAs must generate and publish either:
- a full and complete CRL, or
- a set of partitioned (sharded) CRLs that, when aggregated, represent the equivalent of a full and complete CRL.
CRL issuance and update timing requirements are specified, including:
- Subscriber Certificates: update and publish a new CRL at least every seven (7) days if all Certificates include an AIA OCSP pointer, otherwise at least every four (4) days; and update and publish within twenty-four (24) hours after recording a Certificate as revoked.
- CA Certificates: update and publish a new CRL at least every twelve (12) months; and update and publish within twenty-four (24) hours after recording a Certificate as revoked.
- CAs must continue issuing CRLs until specified conditions are met (expiration/revocation of Subordinate CA Certificates with the same Subject Public Key, or destruction of the corresponding Subordinate CA Private Key).
CRL Distribution Points presence requirements are updated, including that CRL Distribution Points are optional for Short-lived Subscriber Certificates and must not be present in OCSP Responder Certificates.

Short-lived certificate changes

Short-lived certificates are optional; CAs are not required to issue short-lived certificates.
For short-lived certificates issued on or after 15 March 2026, the proposal stipulates a maximum Validity Period of seven (7) days.
For short-lived certificates issued on or after 15 March 2024 and prior to 15 March 2026, the maximum Validity Period is less than or equal to 10 days.
Short-lived certificates are not required to contain a CRLDP or OCSP pointer and are not required to be revoked; certificate invalidation would be through certificate expiry, with optional revocation.

OCSP-related changes

OCSP responder requirements are updated to apply in the context of Certificates that include an Authority Information Access extension with an id-ad-ocsp accessMethod.
OCSP responders operated by the CA must support the HTTP GET method.
The CA may process the OCSP Nonce extension in accordance with RFC 8954.

Effective CRL profile date stated in the redline

Prior to 2024-03-15, the CA issues CRLs according to the profile specified in the Requirements or the profile specified in Version 1.8.7.
Effective 2024-03-15, the CA issues CRLs according to the CRL profile specified in these Requirements.

Model: gpt-5.4-nano Confidence: 0.74 Result: passed

Effective date: 2024-03-15
Voting opened: 2023-07-06
Voting closed: 2023-07-13
Discussion opened: 2023-06-22
Discussion closed: 2023-07-06

Applicability and conditions

2024-03-15 — CAs must switch to issuing CRLs according to the specified CRL profile on or by 2024-03-15. Effective 2024-03-15, the CA SHALL issue CRLs in accordance with the CRL profile specified in these Requirements (prior to 2024-03-15, the CA issues CRLs in accordance with the profile specified in these Requirements or the profile specified in Version 1.8.7).

2024-03-15 — For Subscriber Certificates, CRL Distribution Points must be present only for the specified cases and are optional for Short-lived Subscriber Certificates. CAs issuing Subscriber Certificates: CRL Distribution Points extension presence depends on whether the Certificate includes an Authority Information Access extension with an id-ad-ocsp accessMethod and on the Certificate validity period.

2024-03-15 — If issuing short-lived Subscriber Certificates in this issuance window, CAs must limit Validity Period to 10 days or less. Short-lived Subscriber Certificates: for Certificates issued on or after 15 March 2024 and prior to 15 March 2026, the Subscriber Certificate Validity Period must be less than or equal to 10 days.

2026-03-15 — If issuing short-lived Subscriber Certificates on or after 15 March 2026, CAs must limit Validity Period to 7 days or less. Short-lived Subscriber Certificates: for Certificates issued on or after 15 March 2026, the Subscriber Certificate Validity Period must be less than or equal to 7 days.

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 28 yes 1 no 0 abstain

Certificate Consumers 3 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

31 Yes

1 No

0 Abstain

97% yes · 3% no

Proposers

Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by Kiran Tummala of Microsoft and Tim Callan of Sectigo.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC063v4: Make OCSP Optional, Require CRLs, and Incentivize AutomationBallot SC063v4: Make OCSP Optional, Require CRLs, and Incentivize AutomationVoting Results Certificate Issuers 29 votes total, with no abstentions:

View on cabforum.org → Last fetched 16 hours ago