LeaderSSL-Support: offline:
Mo-Fr 9:00 - 18:00 MEZ
Kundendienst Abrechnung:

Montag - Freitag:
9:00 - 18:00 MEZ

Technischer Support:

Montag - Freitag:
9:00 - 18:00 MEZ

Bestellsystem/Zertifikatsausstellung:

Rund um die Uhr

News

CA/B Forum CSC-32 Enters IPR Review

Ballot CSC-32 - "Make a Reserved Policy OID mandatory" has cleared the voting period at the CA/Browser Forum and is currently in IPR Review at the Code Signing Certificate Working Group. Per CA/B Forum Policy §4.1, the review period runs 30 days; if no Exclusion Notices are filed, the ballot will be adopted and incorporated into a new version of the Code Signing Baseline Requirements.

What CSC-32 would change

If adopted, every Code Signing certificate issued on or after 15 September 2026 would have to contain exactly one CA/B Forum Reserved Policy OID in the certificatePolicies extension. CA-defined policy OIDs would remain permitted as optional additional identifiers.

The relevant reserved OIDs, as listed in the CA/B Forum Object Registry:

  • Non-EV Code Signing — 2.23.140.1.4.1
  • EV Code Signing — 2.23.140.1.3
  • Timestamp — 2.23.140.1.4.2

Under the current CSC BR v3.10.0 (in force after CSC-31), Subscriber certificates must include CA-defined policy identifiers, while the CA/B Forum reserved OIDs are optional. CSC-32 inverts that: the reserved OID becomes mandatory.

Background

The change originates from GitHub issue #45 in the CA/B Forum code-signing working repository, opened by Adriano Santoni (ACTALIS S.p.A.). The stated goal was to make it possible to determine programmatically whether a certificate is intended to comply with the Code Signing Baseline Requirements - aligning the CSBR text with what is already effectively required by Microsoft's Trusted Root Program policy §3.A(10), as noted in the issue thread.

What it would mean in practice

If adopted, the change is primarily a certificate profile and compliance update. It does not alter how software is signed, does not affect cryptographic strength, and does not invalidate certificates issued before the effective date.

Implementation work falls mainly on CAs - updating issuance profiles, validation, and linting tools. Subscribers buying through resellers should not normally need to select the OID manually; it is set by the issuing CA as part of the profile.

If CSC-32 clears IPR Review without exclusions, the adopted text will be published as a new revision of the Code Signing Baseline Requirements on the CA/B Forum public website.


Sind Sie bereit für einen Test?


Ja! Ich will den kostenlosen Test!

Haben Sie noch Fragen?
Rufen Sie uns direkt an: +31 20 7640722