Voting Period Begins - Ballot SC-095v2: 2025 Cleanup

[Kateryna Aleksieieva]

Summary of the Ballot

This ballot introduces a set of updates across the Baseline Requirements and EV Guidelines to improve clarity, consistency, definitions, and structural correctness. More details are available in the Pull Request. Changes fall into the following categories:

 

Formatting, References, and Consistency Improvements

(#193, #299, #322, #415, #432, #458, #542, #570, #574, #576, #584, #592)
Standardization of formatting (dates, tables, headers, lists, bolding, punctuation, hyphens), correction of links and anchors, typos, cleanup of spacing and duplicated text, harmonization of RFC references and URL formats, and removal of obsolete or redundant editorial content. All relevant dates before 2025-01-01 removed.

Definition Updates and Clarifications

(#303, #428, #435, #449, #471, #496, #512, #524, #564, #592)
Updates to definitions and terminology, removal of outdated code-signing wording, corrections to WHOIS and NTR definitions, clarification of delegation and validation reuse rules, alignment of language between BR and EV sections, addition of a “Precertificate” definition, and removal of legacy notes or outdated Relevant Dates.

Section-Specific Fixes

(#432, #452, #458, #546, #570, #444, #274)
Corrections to numbering, indentation, spacing, table structure, missing sections, example restoration/removal, adjustments to size limits, and updates to validation-method names and formatting.

Normative Adjustments

(#540, #547)
Refinements to normative requirements (MUST NOT → SHOULD NOT), removal of outdated effective-date notes, and header updates.

Correction to EVG 7.1.4.2.6

(#623)
Replacement of an obsolete BR reference with a self-contained definition of the Subject’s Physical Address of Place of Business, including OIDs, attribute requirements, and verified content rules.

Clarification to EVG 3.2.2.14.1

(#642)
RDAP should be used the same way as WHOIS.

Clarification of the "Certificate Profile" defined term

(#526)
The definition was updated per https://github.com/cabforum/servercert/pull/639

Update Section 4.9.1.1 to explicitly reference CAA violations

(#580)
This is a normative change clarifying that CAA violations are treated as part of the Domain Validation process. This was already the expected behavior as discussed in various CABF SCWG meetings.

---

 

The following motion has been proposed by Karolina Ruszczyńska (Certum by Asseco) and Kateryna Aleksieieva (Certum by Asseco) and endorsed by Dimitris Zacharopoulos (HARICA) and Wayne Thayer (Fastly).

 

--- Motion Begins ---

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“Baseline Requirements”), based on Version 2.1.9

This ballot modifies the “Guidelines for the Issuance and Management of Extended Validation Certificates” (“Extended Validation Guidelines”), based on Version 2.0.1

Redline: https://github.com/cabforum/servercert/compare/351f2755443ff78093d1b62b0b8a251ef6d8fc2d 

 

--- Motion Ends ---

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (at least 7 days)

• Start time: 2026-01-26 17:00:00 UTC

• End time: 2026-02-02 17:00:00 UTC

Vote for approval (7 days)

• Start time: 2026-02-02 17:00:00 UTC

• End time: 2026-02-09 17:00:00 UTC

 

[Ben Wilson]

Mozilla votes "Yes" on Ballot SC-095v2

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/DU0PR10MB72643E4485B6EA401E1B9D73819AA%40DU0PR10MB7264.EURPRD10.PROD.OUTLOOK.COM.

[Pedro FUENTES]

OISTE Votes Yes to SC-095v2

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA%2B1gtaY_DUroS5bWnSfCeEkrVq5TrtYgbO8ZFTu%3DhkwXbjneqw%40mail.gmail.com.

WISeKey SA

Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790

Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland

Stay connected with WISeKey

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

[黃晟(orca)]

TWCA votes “Yes” on ballot SC-095v2.

 

 

Regards,

 

Sean Huang

Senior R&D Engineer
TEL：02-2370-8886#728
FAX：02-2388-6720
Email：or...@twca.com.tw

10F., No. 85, Yanping South Road,

Taipei, Taiwan (R.O.C.)

--

[Dimitris Zacharopoulos (HARICA)]

HARICA votes "yes" to ballot SC-095v2.

--

[Marco Schambach]

IdenTrust votes ‘Yes” on SC-095v2

 

Marco S.

TrustID Program Manager

 

From: 'Kateryna Aleksieieva' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Monday, February 2, 2026 11:13 AM
To: server...@groups.cabforum.org

--

[郭宗閔]

Chunghwa Telecom votes "Yes" on Ballot SC-095v2

 

Regards,

Tsung-Min Kuo

Chunghwa Telecom Co., Ltd.

 

From: 'Kateryna Aleksieieva' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Tuesday, February 3, 2026 12:13 AM
To: server...@groups.cabforum.org

Subject: [外部郵件][Servercert-wg] Voting Period Begins - Ballot SC-095v2: 2025 Cleanup

--

You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/DU0PR10MB72643E4485B6EA401E1B9D73819AA%40DU0PR10MB7264.EURPRD10.PROD.OUTLOOK.COM.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

[Karina Sirota Goodley]

Microsoft votes "Yes" on Ballot SC-095v2.

 

 

Best, Karina

 

From: 'Kateryna Aleksieieva' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>

Sent: Monday, February 2, 2026 10:13 AM
To: server...@groups.cabforum.org

--

[Tim Hollebeek]

DigiCert votes NO on SC-095.

While we appreciate all the hard work that went into this ballot, we've spotted a critical error. On line 592, it appears the reference to RFC 7482 has been deleted, presumably for the purpose of adding a link, but the link is for the next RFC in the list, 7538, which results in removing the intended reference to 7482.

If the error is corrected in a subsequent ballot, we will vote YES.

-Tim

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/BL3PR00MB1431852693D98AE658C0E211E398A%40BL3PR00MB1431.namprd00.prod.outlook.com.

[Dimitris Zacharopoulos]

Hi Tim,

Please see my response to Rich earlier today.

https://github.com/cabforum/servercert/pull/628#discussion_r2762707956

The definition calls out the correct, existing RFC.

Do other people agree or disagree with that interpretation?


Thanks,

DZ.

Feb 4, 2026 20:58:34 'Tim Hollebeek' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SN7PR14MB6492DB5512E3F340F19AF3788398A%40SN7PR14MB6492.namprd14.prod.outlook.com.

[Aaron Gable]

Dimitris,

While one reference to RFC 7482 (in the Definitions section, as you point out) was updated to instead reference RFC 9082, other references within the document were not updated. The line for RFC 7482 needs to remain as long as those other citations remain.

Aaron

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/45a44ddd-9aa0-4a4d-96ce-3d08714f9fb9%40harica.gr.

[Dimitris Zacharopoulos (HARICA)]

Indeed, it's a bit messy. As you correctly pointed out, Aaron, sections in 3.2.2.4 directly reference the existing RDAP RFC 7482 document while the "WHOIS" definition and section 1.6.3 replaced RFC 7482 with its replacement (9082). After reviewing Appendix A of RFC 9082 (Changes from RFC 7482) it is clear that the new RFC provided clarifications and improved language without changing normative requirements so I don't see any immediate risk in leaving this inconsistency for a while.

I see two options for resolving:

1. Ask the proposer to withdraw the ballot in line with Bylaws 2.3 (4), restore the references to RFC 7482 and restart the process from the discussion period; or
2. Let the ballot pass and kindly ask the proposer of the next ballot to either change all references to RFC 9082 (allowing people time to review that there are no breaking changes), or restore the references to RFC 7482.

I'm fine either way. Are there any other options?

Dimitris.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErcx9j%3DiAs8%2BGYLZ9%2B8-4PVVFu1oGGDa_8_s1kM5uao7wg%40mail.gmail.com.

[Backman, Antti]

Hi, 

Maybe option 1 could be the better way to go and if that is chosen by the proposer. 

Couple of observation to check-out also: 

Sections:

"1.3.2 Registration Authorities

With the exception of Section 3.2.2.4, Section 3.2.2.5 and (effective 2026-03-15) Section 3.2.2.8, the CA MAY…” 

Wondering what is the purpose of the text in parenthesis defining an effective date? I believe it is referring to the DNSSEC validation of CAA Records, but is it something we would like to have in this section explicitly written?

AND

"3.2.2.4.21 DNS Labeled with Account ID - ACME

Confirming the Applicant's control over the FQDN by performing the procedure documented for a |"dns-account-01” …"

Is that pipe (“|”) character relevant or could it be removed?

Thanks, 

//Antti

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/30e4f7be-765e-4eb7-a9c8-ca327ebde3bc%40harica.gr.

[Kateryna Aleksieieva]

Hi all,

 

Thank you for the discussion and for noticing the error. 

 

Option 2 suggested by Dimitris would indeed be the simplest operationally and would also give us a clean path to transition to RFC 9082 in a follow-up ballot, allowing explicit time for review and confirmation that there are no breaking changes. However, at this point there does not appear to be sufficient explicit support for letting the current inconsistency stand. Given that the issue has already resulted in a NO vote, proceeding without broader consensus is risky and may further prolong the process rather than unblock it. 

 

Procedurally, withdrawal still seems the safer option unless clear support for option 2 emerges.

 

Addressing Antti’s observations:

1. The stray pipe (“|”) character in Section 3.2.2.4.21 was unintentional and has already been corrected.
2. From our understanding, the effective date noted in parentheses in Section 1.3.2 reflects the time-bound introduction of DNSSEC validation of CAA Records. We do not have a strong position on whether this text is needed in that specific place; however, in the event of withdrawing the ballot, we would prefer to limit changes strictly to fixing the RFC reference issue and avoid introducing or refining additional topics at this stage for the sake of clarity.

Kind regards,
Kateryna Aleksieieva

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/GVZP280MB1201D78F0EDC9C761D1BFA838699A%40GVZP280MB1201.SWEP280.PROD.OUTLOOK.COM.

[Tim Hollebeek]

I support withdrawal. That's what we have historically done in these cases where an error is found during voting.

Option 2 has little upside, as this is a cleanup ballot. There is no need to rush out a partial cleanup. Let's get it right.

-Tim

---

From: 'Kateryna Aleksieieva' via Server Certificate WG (CA/B Forum)

Sent: Thursday, February 5, 2026 8:23 AM
To: server...@groups.cabforum.org
Subject: RE: [Servercert-wg] Re: Voting Period Begins - Ballot SC-095v2: 2025 Cleanup

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/DU0PR10MB7264F797A1E9F2E02CFD01978199A%40DU0PR10MB7264.EURPRD10.PROD.OUTLOOK.COM.

[Kateryna Aleksieieva]

I am withdrawing ballot SC-095v2 under section 2.3(4) of the bylaws due to a missing link in the RFC definitions. We will correct the issue and resubmit the updated proposal for further discussion.

Kind regards,
Kateryna Aleksieieva

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SN7PR14MB64921E604A2E286AC33B37148399A%40SN7PR14MB6492.namprd14.prod.outlook.com.

[Tobias S. Josefowitz]

On Mon, 2 Feb 2026, 'Kateryna Aleksieieva' via Server Certificate WG (CA/B Forum) wrote:

> --- Motion Begins ---

> This ballot modifies the ?Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates? (?Baseline Requirements?), based on Version 2.1.9
> This ballot modifies the ?Guidelines for the Issuance and Management of Extended Validation Certificates? (?Extended Validation Guidelines?), based on Version 2.0.1
> Redline: https://github.com/cabforum/servercert/compare/351f2755443ff78093d1b62b0b8a251ef6d8fc2d

I realize the Ballot is withdrawn, but I am not sure this redline is valid
anyway. My understanding is that redline links need to encode both the
current revision and the commit specifying the changes being made, eg
ID1..ID2. In my understanding, this is to achieve that the redline can
still be reconstructed even if the URLs (or GitHub alltogether) stop
working. In addition, I believe the redline accessible via the link above
would in the future be empty if the Ballot had passed and the changes were
incorporated.

Tobi

[Kateryna Aleksieieva]

Thanks for pointing that out, Tobi. I was planning to restart the discussion today, but since the redline was incorrect, I need to prepare the correct version first. Could you or someone else advise on how to create an accurate redline link?

Kind regards,
Kateryna Aleksieieva

-----Original Message-----
From: 'Tobias S. Josefowitz' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Monday, February 9, 2026 2:51 PM
To: Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: Re: [Servercert-wg] Voting Period Begins - Ballot SC-095v2: 2025 Cleanup

On Mon, 2 Feb 2026, 'Kateryna Aleksieieva' via Server Certificate WG (CA/B Forum) wrote:

> --- Motion Begins ---
> This ballot modifies the ?Baseline Requirements for the Issuance and
> Management of Publicly-Trusted TLS Server Certificates? (?Baseline
> Requirements?), based on Version 2.1.9 This ballot modifies the
> ?Guidelines for the Issuance and Management of Extended Validation
> Certificates? (?Extended Validation Guidelines?), based on Version
> 2.0.1
> Redline:

> https://gith/
> ub.com%2Fcabforum%2Fservercert%2Fcompare%2F351f2755443ff78093d1b62b0b8
> a251ef6d8fc2d&data=05%7C02%7Ckateryna.aleksieieva%40assecods.pl%7Cb747
> 330aab024bc2f90b08de67e267dd%7C598be90934974762a128e8e82e732db1%7C0%7C
> 0%7C639062419290131107%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWU
> sIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%
> 7C0%7C%7C%7C&sdata=u52BTaWf86qp5GqHNeZN7VGXzmq%2B2OvI8827HZWl%2FGY%3D&
> reserved=0

I realize the Ballot is withdrawn, but I am not sure this redline is valid anyway. My understanding is that redline links need to encode both the current revision and the commit specifying the changes being made, eg ID1..ID2. In my understanding, this is to achieve that the redline can still be reconstructed even if the URLs (or GitHub alltogether) stop working. In addition, I believe the redline accessible via the link above would in the future be empty if the Ballot had passed and the changes were incorporated.

Tobi

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/ce9d8487-0ab5-1340-cbc4-ecbf6d8678e6%40opera.com.

[Dimitris Zacharopoulos (HARICA)]

Hi Kateryna,

Check out the "Compare Changes" section in
https://wiki.cabforum.org/books/forum/page/github-redline-guide

Thanks,
Dimitris.

On 2/9/2026 5:00 PM, 'Kateryna Aleksieieva' via Server Certificate WG