Ballot SC097: Sunset all remaining use of SHA-1 signatures in Certificates and CRLs

Ballot overview (SC-097)

• Proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates (TLS BRs) to sunset all remaining use of SHA-1 signatures in Certificates and CRLs.
• Scope includes:
  • Updating Section 7.1.3.2.1 to prohibit all remaining use of the SHA-1 signature algorithm from appearing in Certificates or status information responses.
  • Revoking all unexpired Subordinate CA certificates containing the SHA-1 signature algorithm.
• The proposal does not prohibit using SHA-1 to generate issuerKeyHash or issuerNameHash values (as required by RFC 5019).

Proposed key dates / requirements

• Effective September 15, 2026:
  • Prevent use of SHA-1 in new CRLs.
  • CAs must revoke unexpired Subordinate CA Certificates containing the SHA-1 signature algorithm.

Rationale and context (as stated)

• Prior SHA-1 sunsets exist (Ballot 118 (2014) and SC-053 (2022)), but unexpired and unrevoked Subordinate CA certificates containing SHA-1 signatures and CRL Distribution Points serving SHA-1-signed CRLs still exist.

Review and voting process (as stated)

• Review period:
  • Start: 2026-01-26 09:00:00 UTC
  • End: 2026-02-25 09:00:00 UTC
• Discussion and voting windows are listed on the ballot page.
• Voting results:
  • 26 votes in Certificate Issuer category: 26 YES, 0 NO, 0 ABSTAIN.
  • 4 votes in Certificate Consumer category: 4 YES, 0 NO, 0 ABSTAIN.
• Bylaws requirements for adoption were MET, including:
  • Two-thirds (2/3) or more of votes cast by Voting Members in the Certificate Issuer category in favor.
  • At least fifty percent (50%) plus one (1) of votes cast by Voting Members in the Certificate Consumer category in favor.
  • At least one Voting Member in each category voting in favor.
  • Quorum requirement MET (quorum was 17).