SC-092 passed

Ballot SC-092: Sunset use of Precertificate Signing CAs

Server Certificate Working Group

Key dates

Effective date: 15 Mar 2026 3 months ago
Voting opened: 05 Oct 2025 8 months ago
Voting closed: 04 Nov 2025 7 months ago
Discussion opened: 18 Sep 2025 9 months ago
Discussion closed: 25 Sep 2025 8 months ago

Resources

⎇ GitHub diff https://github.com/cabforum/servercert/compare/b6a014d4aee244c019ef6ca41667045cdbfefb81..d0c9842bca6f912c31bd9c28f6cb3be3e6d91010 https://github.com/cabforum/servercert/compare/b6a014d4aee244c019ef6ca41667045cdbfefb81..d0c9842bca6f912c31bd9c28f6cb3be3e6d91010

± Redline https://cabforum.org/2025/09/02/ballot-sc-092-sunset-use-of-precertificate-signing-cas/BR-SC092-redline.pdf TBR-SC92-redlined.pdf

± Redline https://cabforum.org/2025/09/02/ballot-sc-092-sunset-use-of-precertificate-signing-cas/BR-SC092-redline.docx TBR-SC92-redlined.docx

⤓ Document https://cabforum.org/2025/09/02/ballot-sc-092-sunset-use-of-precertificate-signing-cas/BR-SC092.pdf TBR-SC92.pdf

⤓ Document https://cabforum.org/2025/09/02/ballot-sc-092-sunset-use-of-precertificate-signing-cas/BR-SC092.docx TBR-SC92.docx

⤓ Document https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf

AI Summary

Generated 2026-06-23 21:14 UTC

Ballot overview

Ballot SC-092 proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates (TLS BRs) to sunset use of Precertificate Signing CAs, currently specified in Section 7.1.2.4.
The ballot states that RFC 6962 describes Precertificate Signing Certificates and that RFC 9162 deprecates Precertificate Signing Certificates and the Precertificate Poison extension.

Rationale provided

Precertificate Signing CAs are described as introducing complexity and risk with little practical benefit.
The ballot lists reasons including increased chain-validation logic complexity, additional CA infrastructure requirements, difficulty for CT monitors to observe issuance, and a cited real-world critical failure resulting in rejection of a CT log.
The ballot also states adoption is low (only 2 publicly-trusted CA Owners currently using Precertificate Signing CAs).

Proposed changes / requirements

Effective March 15, 2026:
- The Certificate Profile specified in Section 7.1.2.4 MUST NOT be used to issue new certificates.
- Existing Precertificate Signing CAs MUST NOT be used to issue new Precertificates.
The ballot content also includes a Baseline Requirements compliance date entry for 2026-03-15 stating CAs MUST NOT use Precertificate Signing CAs to issue Precertificates and MUST NOT issue certificates using the Technically Constrained Precertificate Signing CA Certificate Profile specified in Section 7.1.2.4.

Voting and adoption

Voting results on the ballot page show 29 votes in total with 29 voting YES and 0 voting NO.
The ballot page states the Bylaws Requirements were MET, including:
- Two-thirds (2/3) or more of votes cast by Voting Members in the Certificate Issuer category were in favour.
- At least fifty percent (50%) plus one (1) of votes cast by Voting Members in the Certificate Consumer category were in favour.
- At least one Voting Member in each category voted in favour.
- Quorum was 16 and this requirement was MET.
The ballot page indicates the ballot current_status is passed.

Model: gpt-5.4-nano Confidence: 0.90 Result: passed

Effective date: 2026-03-15
Voting opened: 2025-10-05
Voting closed: 2025-11-04
Discussion opened: 2025-09-18
Discussion closed: 2025-09-25

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 29 yes 0 no 0 abstain

Certificate Consumers 3 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

32 Yes

0 No

0 Abstain

100% yes · 0% no

Proposers

Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by Aaron Gable (Internet Security Research Group) and Clint Wilson (Apple).

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC-092: Sunset use of Precertificate Signing CAsBallot SC-092: Sunset use of Precertificate Signing CAsVoting Results Certificate Issuers 29 votes in total:

View on cabforum.org → Last fetched 16 hours ago