VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

[Ben Wilson]

The voting period will begin at 2200 UTC today.

SC-089: Mass Revocation Planning

Purpose of Ballot

This ballot proposes the addition of a new subsection, Section 5.7.1.2 – Mass Revocation Planning, to the Baseline Requirements for the Issuance and Management of Publicly‐Trusted TLS Server Certificates. Its purpose is to require that Certification Authorities (CAs) develop, maintain, and annually test a Mass Revocation Plan as part of their overall business continuity strategy. This is already a requirement of the Mozilla Root Program.

Mass revocation events—situations where a large proportion of a CA's certificates must be revoked within a short period of time—pose significant risks to the stability, reliability, and trustworthiness of the Web PKI. In recent years, such events have revealed operational challenges in CA readiness, communication with affected parties, and the timely replacement of revoked certificates. A well-prepared and well-tested plan is essential to minimizing disruption to subscribers and relying parties, as well as to maintaining the integrity of the public trust ecosystem.

This amendment sets forth minimum requirements for Mass Revocation Plans, including activation criteria, defined roles and responsibilities, mechanisms for subscriber communication, documentation of processes, and expectations for regular testing. It also requires that, as of December 1, 2025, CAs assert in their CPSes that they maintain such a plan and incorporate lessons learned from testing to continually improve their preparedness.

The goal of this ballot is to improve transparency, auditability, and operational resilience across all publicly-trusted, TLS-issuing CAs, while aligning expectations with existing root program policies and auditor feedback.

The following motion has been proposed by Ben Wilson (Mozilla) and endorsed by Enrico Entschew (D-Trust) and Pedro Fuentes (OISTE).

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...c9076a905c30c7766404f240fac4a198e6b9e2f2

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

• Start time: July 7, 2025 23:00 UTC
• End time: on or after July 14, 2025 23:00 UTC

Vote for approval (7 days)

• Start time: July 15, 2025 22:00 UTC
• End time: July 22, 2025 22:00 UTC

[Tim Hollebeek]

DigiCert votes YES on SC-089.

 

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtaZM8Kkxs70zeg4%2B2hSB1RoStW0AsUf%2Btt%3DP%3D7uBuTmYEA%40mail.gmail.com.

[Pedro FUENTES]

OISTE votes yes to SC-089

Le 15 juil. 2025 à 23:36, 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> a écrit :



[Entschew, Enrico]

D-Trust votes YES on Ballot SC-089.

 

Thanks,

Enrico

--

[Scott Rea]

eMudhra Votes Yes on Ballot SC-089

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Wednesday, 16 July 2025 at 1:36 AM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.

 

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtaZM8Kkxs70zeg4%2B2hSB1RoStW0AsUf%2Btt%3DP%3D7uBuTmYEA%40mail.gmail.com.

Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.

[Bruce Morton]

Entrust abstains from ballot SC-089.

 

 

Bruce.

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 5:36 PM
To: server...@groups.cabforum.org

Subject: [EXTERNAL] [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today. SC-089: Mass Revocation Planning Purpose of Ballot This ballot proposes the addition of a new subsection, Section 5. 7. 1. 2 – Mass Revocation Planning, to the Baseline Requirements for the Issuance

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtaZM8Kkxs70zeg4%2B2hSB1RoStW0AsUf%2Btt%3DP%3D7uBuTmYEA%40mail.gmail.com.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Michael Guenther]

[CHASSERY Francois]

Certinomis votes YES

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 11:36 PM
To: server...@groups.cabforum.org

--

[Ben Wilson]

Mozilla votes "Yes" on Ballot SC-089.

[Marco Schambach]

IdenTrust votes "Yes" on Ballot SC-089 Mass Revocation Planning

 

 

Marco S.

TrustID Program Manager

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 5:36 PM
To: server...@groups.cabforum.org

--

[Dimitris Zacharopoulos (HARICA)]

HARICA votes "yes" to ballot SC089.

[Chad Dandar (cdandar)]

Cisco votes Yes on Ballot SC-089.

 

Chad Dandar

Cisco

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 2:36 PM
To: server...@groups.cabforum.org

--

[Hogeun Yoo]

NAVER Cloud Trust Services votes YES on Ballot SC-089.

Best regards,

Hogeun Yoo

-----Original Message-----
From: "'Ben Wilson' via Server Certificate WG (CA/B Forum)"<server...@groups.cabforum.org>
To: <server...@groups.cabforum.org>;
Cc:
Sent: 2025. 7. 16. (수) 06:36 (GMT+09:00)
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtaZM8Kkxs70zeg4%2B2hSB1RoStW0AsUf%2Btt%3DP%3D7uBuTmYEA%40mail.gmail.com.

[Backman, Antti]

Telia votes ’Yes’ on Ballot SC-089: Mass Revocation Planning

//Antti

 

---

Lähettäjä: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Lähetetty: keskiviikkona, heinäkuuta 16, 2025 12:36 ap.
Vastaanottaja: server...@groups.cabforum.org <server...@groups.cabforum.org>
Aihe: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtaZM8Kkxs70zeg4%2B2hSB1RoStW0AsUf%2Btt%3DP%3D7uBuTmYEA%40mail.gmail.com.

This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing, distributing or retaining copies thereof or disclosing its contents to any other person.

Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s Privacy Policy.

[Rollin.Yu]

TrustAsia votes YES on ballot SC-089.

Best regards,
Rollin Yu

[Doug Beattie]

GlobalSign votes Yes on Ballot SC-089.

 

Doug

 

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 5:36 PM
To: server...@groups.cabforum.org

--

[Ponds-White, Trev]

Amazon Trust Services votes Yes.

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Tuesday, July 15, 2025 14:36
To: server...@groups.cabforum.org
Subject: [EXTERNAL] [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

--

[sde...@godaddy.com]

GoDaddy votes Yes on Ballot SC-089. 

Thanks, 

Steven Deitte

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Date: Tuesday, July 15, 2025 at 2:36 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

This Message Is From an External Sender

This message came from outside your organization.

 

[Wayne Thayer]

Fastly votes Yes on ballot SC-089.

- Wayne

[黃晟(orca)]

TWCA votes “YES” on Ballot SMC013

 

 

Regards,

 

Sean Huang

Senior R&D Engineer
TEL：02-2370-8886#728
FAX：02-2388-6720
Email：or...@twca.com.tw

10F., No. 85, Yanping South Road,

Taipei, Taiwan (R.O.C.)

 

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, July 16, 2025 5:36 AM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today.

--

[黃晟(orca)]

Apologies, the previous email was sent in error. Please disregard it.
TWCA votes “YES” on Ballot SC-089

 

 

Regards,

 

Sean Huang

Senior R&D Engineer
TEL：02-2370-8886#728
FAX：02-2388-6720
Email：or...@twca.com.tw

10F., No. 85, Yanping South Road,

Taipei, Taiwan (R.O.C.)

 

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, July 16, 2025 5:36 AM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today.

--

[Alvin Wang]

SHECA votes YES on ballot SC-089.

Best regards,
Alvin.Wang

[Jozef Nigut]

Disig  votes YES   on Ballot SC-089.

 

Thanks,

Jozef

 

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 11:36 PM

To: server...@groups.cabforum.org
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today.

--

[Inigo Barreira]

Sectigo votes yes

 

De: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Enviado el: martes, 15 de julio de 2025 23:36
Para: server...@groups.cabforum.org
Asunto: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today. SC-089: Mass Revocation Planning Purpose of Ballot This ballot proposes the addition of a new subsection, Section 5. 7. 1. 2 – Mass Revocation Planning, to the Baseline Requirements for the Issuance

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender This message came from outside your organization.

Report Suspicious    ‌

ZjQcmQRYFpfptBannerEnd

--

[So, Nicol]

CommScope votes “YES” on ballot SC-089.

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 5:36 PM
To: server...@groups.cabforum.org

Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

CAUTION: This message originated from an External Source outside of CommScope.com. This may be a phishing email that can result in unauthorized access to CommScope. Please use caution when opening attachments, clicking links, scanning QR codes, or responding. You can report suspicious emails directly in Microsoft Outlook.

 

 

--

[qi_ji...@itrus.com.cn]

iTrusChina votes YES on Ballot SC-089.

Regards,

Qi Jianxin

---

qi_ji...@itrus.com.cn

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum)

Date: 2025-07-16 05:36

To: servercert-wg

Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

The voting period will begin at 2200 UTC today.

[성지은 Jieun Seong]

MOIS votes "YES" on Ballot SC-089.

Jieun Seong

Junior Researcher

KLID

---

Date: 2025/07/16 06:36:25

From: "'Ben Wilson' via Server Certificate WG (CA/B Forum)"

To: server...@groups.cabforum.org

[郭宗閔]

Chunghwa Telecom votes “YES” on ballot SC-089.

 

Best regards,

Chunghwa Telecom Co., Ltd.,

Tsung-Min Kuo

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Tuesday, July 15, 2025 5:36 PM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/PH7PR14MB64539D389D1EDDC516264A108650A%40PH7PR14MB6453.namprd14.prod.outlook.com.

 

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

[Janet Hines]

VikingCloud votes YES on SC-089.

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Tuesday, July 15, 2025 at 5:36 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

---

The voting period will begin at 2200 UTC today.

SC-089: Mass Revocation Planning

Purpose of Ballot

This ballot proposes the addition of a new subsection, Section 5.7.1.2 – Mass Revocation Planning, to the Baseline Requirements for the Issuance and Management of Publicly‐Trusted TLS Server Certificates. Its purpose is to require that Certification Authorities (CAs) develop, maintain, and annually test a Mass Revocation Plan as part of their overall business continuity strategy. This is already a requirement of the Mozilla Root Program.

Mass revocation events—situations where a large proportion of a CA's certificates must be revoked within a short period of time—pose significant risks to the stability, reliability, and trustworthiness of the Web PKI. In recent years, such events have revealed operational challenges in CA readiness, communication with affected parties, and the timely replacement of revoked certificates. A well-prepared and well-tested plan is essential to minimizing disruption to subscribers and relying parties, as well as to maintaining the integrity of the public trust ecosystem.

This amendment sets forth minimum requirements for Mass Revocation Plans, including activation criteria, defined roles and responsibilities, mechanisms for subscriber communication, documentation of processes, and expectations for regular testing. It also requires that, as of December 1, 2025, CAs assert in their CPSes that they maintain such a plan and incorporate lessons learned from testing to continually improve their preparedness.

The goal of this ballot is to improve transparency, auditability, and operational resilience across all publicly-trusted, TLS-issuing CAs, while aligning expectations with existing root program policies and auditor feedback.

The following motion has been proposed by Ben Wilson (Mozilla) and endorsed by Enrico Entschew (D-Trust) and Pedro Fuentes (OISTE).

 

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...c9076a905c30c7766404f240fac4a198e6b9e2f2

Motion Ends

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

• Start time: July 7, 2025 23:00 UTC
• End time: on or after July 14, 2025 23:00 UTC

Vote for approval (7 days)

• Start time: July 15, 2025 22:00 UTC
• End time: July 22, 2025 22:00 UTC

 

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtaZM8Kkxs70zeg4%2B2hSB1RoStW0AsUf%2Btt%3DP%3D7uBuTmYEA%40mail.gmail.com.

Company Registration Details
VikingCloud is the registered business name of Sysxnet Limited. Sysxnet Limited is registered in Ireland under company registration number 147176 and its registered office is at 1st Floor, Block 71a, The Plaza, Park West Business Park, Dublin 12, Ireland.

Email Disclaimer
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sysxnet Limited is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt..

[大野 文彰]

SECOM Trust Systems votes YES on Ballot SC-089.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems CO., LTD.

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, July 16, 2025 6:36 AM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today.

SC-089: Mass Revocation Planning

Purpose of Ballot

This ballot proposes the addition of a new subsection, Section 5.7.1.2 – Mass Revocation Planning, to the Baseline Requirements for the Issuance and Management of Publicly‐Trusted TLS Server Certificates. Its purpose is to require that Certification Authorities (CAs) develop, maintain, and annually test a Mass Revocation Plan as part of their overall business continuity strategy. This is already a requirement of the Mozilla Root Program.

Mass revocation events—situations where a large proportion of a CA's certificates must be revoked within a short period of time—pose significant risks to the stability, reliability, and trustworthiness of the Web PKI. In recent years, such events have revealed operational challenges in CA readiness, communication with affected parties, and the timely replacement of revoked certificates. A well-prepared and well-tested plan is essential to minimizing disruption to subscribers and relying parties, as well as to maintaining the integrity of the public trust ecosystem.

This amendment sets forth minimum requirements for Mass Revocation Plans, including activation criteria, defined roles and responsibilities, mechanisms for subscriber communication, documentation of processes, and expectations for regular testing. It also requires that, as of December 1, 2025, CAs assert in their CPSes that they maintain such a plan and incorporate lessons learned from testing to continually improve their preparedness.

The goal of this ballot is to improve transparency, auditability, and operational resilience across all publicly-trusted, TLS-issuing CAs, while aligning expectations with existing root program policies and auditor feedback.

The following motion has been proposed by Ben Wilson (Mozilla) and endorsed by Enrico Entschew (D-Trust) and Pedro Fuentes (OISTE).

 

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...c9076a905c30c7766404f240fac4a198e6b9e2f2

Motion Ends

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

• Start time: July 7, 2025 23:00 UTC
• End time: on or after July 14, 2025 23:00 UTC

Vote for approval (7 days)

• Start time: July 15, 2025 22:00 UTC
• End time: July 22, 2025 22:00 UTC

 

[Matsuo Yoshihiko]

JPRS votes YES on Ballot SC-089.


Yoshihiko Matsuo(JPRS)

On Tue, 15 Jul 2025 15:36:06 -0600
"'Ben Wilson' via Server Certificate WG (CA/B Forum)" <server...@groups.cabforum.org> wrote:

> The voting period will begin at 2200 UTC today.
>

> *SC-089: Mass Revocation Planning*
>
> *Purpose of Ballot*
>
> This ballot proposes the addition of a new subsection, Section 5.7.1.2 ?

> Mass Revocation Planning, to the Baseline Requirements for the Issuance and
> Management of Publicly‐Trusted TLS Server Certificates. Its purpose is to
> require that Certification Authorities (CAs) develop, maintain, and
> annually test a Mass Revocation Plan as part of their overall business
> continuity strategy. This is already a requirement of the Mozilla Root
> Program.
>

> Mass revocation events?situations where a large proportion of a CA's
> certificates must be revoked within a short period of time?pose significant

> risks to the stability, reliability, and trustworthiness of the Web PKI. In
> recent years, such events have revealed operational challenges in CA
> readiness, communication with affected parties, and the timely replacement
> of revoked certificates. A well-prepared and well-tested plan is essential
> to minimizing disruption to subscribers and relying parties, as well as to
> maintaining the integrity of the public trust ecosystem.
>
> This amendment sets forth minimum requirements for Mass Revocation Plans,
> including activation criteria, defined roles and responsibilities,
> mechanisms for subscriber communication, documentation of processes, and
> expectations for regular testing. It also requires that, as of December 1,
> 2025, CAs assert in their CPSes that they maintain such a plan and
> incorporate lessons learned from testing to continually improve their
> preparedness.
>
> The goal of this ballot is to improve transparency, auditability, and
> operational resilience across all publicly-trusted, TLS-issuing CAs, while
> aligning expectations with existing root program policies and auditor
> feedback.
>
> The following motion has been proposed by Ben Wilson (Mozilla) and endorsed
> by Enrico Entschew (D-Trust) and Pedro Fuentes (OISTE).
>
>

> *Motion Begins*

>
> MODIFY the "Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements")
> based on Version 2.1.5 as specified in the following redline:
>
> https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...c9076a905c30c7766404f240fac4a198e6b9e2f2
>

> *Motion Ends*

>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>

> *Discussion (at least 7 days)*
>
> - Start time: July 7, 2025 23:00 UTC
> - End time: on or after July 14, 2025 23:00 UTC
>
> *Vote for approval (7 days)*
>
> - Start time: July 15, 2025 22:00 UTC
> - End time: July 22, 2025 22:00 UTC

[Kateryna Aleksieieva]

Certum votes YES on Ballot SC-089

 

Kind regards,

Kateryna Aleksieieva

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Tuesday, July 15, 2025 11:36 PM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

The voting period will begin at 2200 UTC today.

SC-089: Mass Revocation Planning

Purpose of Ballot

This ballot proposes the addition of a new subsection, Section 5.7.1.2 – Mass Revocation Planning, to the Baseline Requirements for the Issuance and Management of Publicly‐Trusted TLS Server Certificates. Its purpose is to require that Certification Authorities (CAs) develop, maintain, and annually test a Mass Revocation Plan as part of their overall business continuity strategy. This is already a requirement of the Mozilla Root Program.

Mass revocation events—situations where a large proportion of a CA's certificates must be revoked within a short period of time—pose significant risks to the stability, reliability, and trustworthiness of the Web PKI. In recent years, such events have revealed operational challenges in CA readiness, communication with affected parties, and the timely replacement of revoked certificates. A well-prepared and well-tested plan is essential to minimizing disruption to subscribers and relying parties, as well as to maintaining the integrity of the public trust ecosystem.

This amendment sets forth minimum requirements for Mass Revocation Plans, including activation criteria, defined roles and responsibilities, mechanisms for subscriber communication, documentation of processes, and expectations for regular testing. It also requires that, as of December 1, 2025, CAs assert in their CPSes that they maintain such a plan and incorporate lessons learned from testing to continually improve their preparedness.

The goal of this ballot is to improve transparency, auditability, and operational resilience across all publicly-trusted, TLS-issuing CAs, while aligning expectations with existing root program policies and auditor feedback.

The following motion has been proposed by Ben Wilson (Mozilla) and endorsed by Enrico Entschew (D-Trust) and Pedro Fuentes (OISTE).

 

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.1.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/e9176e15805a2f7908411a22a40047b655fa24c4...c9076a905c30c7766404f240fac4a198e6b9e2f2

Motion Ends

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

• Start time: July 7, 2025 23:00 UTC

• End time: on or after July 14, 2025 23:00 UTC

Vote for approval (7 days)

• Start time: July 15, 2025 22:00 UTC

• End time: July 22, 2025 22:00 UTC

[Josselin ALLEMANDOU]

Certigna votes YES on ballot SC-089

 

 

 

 

De : 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Envoyé : mardi 15 juillet 2025 23:36
À : server...@groups.cabforum.org
Objet : [Servercert-wg] VOTING PERIOD: Ballot SC-089: Mass Revocation Planning

 

⚠ FR : Ce message provient de l'extérieur de l'organisation. N'ouvrez pas de liens ou de pièces jointes à moins que vous ne sachiez que le contenu est fiable.  ⚠

[Tom Zermeno]

SSL.com votes YES on SC-089.

 

From: 'Ben Wilson' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, July 15, 2025 4:36 PM
To: server...@groups.cabforum.org

[khanmurad....@sinam.net]

SINAM votes YES on Ballot SC-089.

 

Best regards,

Khanmurad Abdullayev

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/AS2PR10MB7777393EF4315DCF83183EAA815CA%40AS2PR10MB7777.EURPRD10.PROD.OUTLOOK.COM.

[Karina Sirota Goodley]

Microsoft votes YES on SC-089.

[Dimitris Zacharopoulos (HARICA)]

On 7/22/2025 6:34 PM, khanmurad....@sinam.net wrote:

SINAM votes YES on Ballot SC-089.

 

Best regards,

Khanmurad Abdullayev

SINAM is an Interested Party so this vote will not be counted.

Thank you,
Dimitris.

--
Dimitris Zacharopoulos
CA/B Forum SCWG Chair