← CABF Ballot Browser
SC-079v2 passed

Ballot SC079v2: Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate

Server Certificate Working Group

Key dates

Effective date
14 Nov 2024 1 year ago
Voting opened
30 Sep 2024 1 year ago
Voting closed
07 Oct 2024 1 year ago
IPR review ends
14 Nov 2024 1 year ago
Discussion opened
22 Sep 2024 1 year ago
Discussion closed
29 Sep 2024 1 year ago

Resources

GitHub diff https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5...e808034e0c8889884761a2e591bb562f86b858c3 https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5...e808034e0c8889884761a2e591bb562f86b858c3
± Redline https://cabforum.org/2024/10/14/ballot-sc079v2-allow-more-than-one-certificate-policy-in-a-cross-certified-subordinate-ca-certificate/BR-SC79-redlined.pdf TBR-SC79-redlined.pdf
Document https://cabforum.org/2024/10/14/ballot-sc079v2-allow-more-than-one-certificate-policy-in-a-cross-certified-subordinate-ca-certificate/BR-SC79.pdf TBR-SC79.pdf
Document https://cabforum.org/2024/10/14/ballot-sc079v2-allow-more-than-one-certificate-policy-in-a-cross-certified-subordinate-ca-certificate/BR-SC79.docx TBR-SC79.docx
Document https://cabforum.org/uploads/CABF-IPR-Policy-v.1.3_4APR18.pdf CA/Browser Forum Intellectual Property Rights Policy
Document https://cabforum.org/uploads/Template-for-Exclusion-Notice.pdf here

AI Summary

Generated 2026-06-23 21:15 UTC

Ballot overview

  • Ballot SC079v2 is titled Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate.
  • It is a Final Maintenance Guideline for the TLS Baseline Requirements.
  • The motion was proposed by Paul van Brouwershaven of Entrust and endorsed by Ben Wilson of Mozilla and Thomas Zermeno of SSL.com.

What the ballot changes

  • The ballot duplicates the Certificate Policies content into section 7.1.2.2.6 for Cross-Certified Subordinate CA Certificate Profiles.
  • It changes the requirement from exactly one Reserved Certificate Policy Identifier to at least one Reserved Certificate Policy Identifier.
  • It allows multiple Reserved Certificate Policy Identifiers in a Cross-Certified Subordinate CA Certificate, except when any Subscriber Certificates chain directly to the certificate issued under this profile.
  • It clarifies the description of policyIdentifier contents in both affected sections.
  • The GitHub diff shows the certificatePolicies reference in the BR.md table moved to the new section 7.1.2.2.6.

Voting and adoption

  • Certificate Issuers: 19 votes total, 19 YES, 0 NO, 0 ABSTAIN.
  • Certificate Consumers: 2 votes total, 2 YES, 0 NO, 0 ABSTAIN.
  • Bylaw 2.3(6) requirements were met for both Issuer and Consumer categories.
  • Bylaw 2.3(7) quorum was 14 and was met.
  • The ballot page states that no abstentions were filed and that the ballot was adopted.

Review period

  • The review period started on 14 October 2024 at 16:00 UTC.
  • The review period ended on 14 November 2024 at 16:00 UTC.
  • The IPR notice says members with Essential Claims to exclude had to submit a written Notice to Exclude Essential Claims before the end of the Review Period.

Compliance impact

  • Cross-Certified Subordinate CA Certificates may include at least one Reserved Certificate Policy Identifier.
  • If any Subscriber Certificates will chain up directly to the certificate issued under this profile, the Cross-Certified Subordinate CA Certificate must contain exactly one Reserved Certificate Policy Identifier.
  • If the Issuing CA wishes to express no policy restrictions and the Subordinate CA is an Affiliate of the Issuing CA, the Issuing CA may use anyPolicy as the only PolicyInformation value.
  • policyQualifiers are not recommended, and if present must be limited to the permitted id-qt-cps qualifier.

Linked artifacts

  • The redline PDF and GitHub compare both show the same normative change to section 7.1.2.2.6.
  • The IPR policy artifact is effective July 3, 2018 and describes the review and exclusion process used for the ballot.
Model: gpt-5.4-mini Revised: 2026-06-23 21:16 UTC Confidence: 0.95 Result: passed
Effective date
2024-11-14
Voting opened
2024-09-30
Voting closed
2024-10-07
IPR review ends
2024-11-14
Discussion opened
2024-09-22
Discussion closed
2024-09-29
Applicability and conditions

2024-11-14 — CAs must apply the updated Certificate Policies rules in the Cross-Certified Subordinate CA Certificate Profile Cross-Certified Subordinate CA Certificates under section 7.1.2.2.6, with the exact policyIdentifier requirement depending on whether Subscriber Certificates chain directly to the certificate and whether the Subordinate CA is an Affiliate of the Issuing CA

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 19 yes 0 no 0 abstain
Certificate Consumers 2 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

21 Yes
0 No
0 Abstain

100% yes · 0% no

Proposers

Paul van Brouwershaven (Entrust) and endorsed by Ben Wilson (Mozilla) and Thomas Zermeno (SSL.com).

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC079v2: Allow more than one Certificate Policy in a Cross-Certified Subordinate CA CertificateBallot SC079v2: Allow more than one Certificate Policy in a Cross-Certified Subordinate CA CertificateVoting Results Certificate Issuers 19 votes total, with no abstentions:

View on cabforum.org → Last fetched 16 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action