CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-03-17 Minutes of the Server Certificate Working Group

2022-03-17 Minutes of the Server Certificate Working Group

Attendees

Adam Jones (Microsoft), Adrian Mueller (SwissSign), Amanda Mendieta (Apple), Andrea Holland (SecureTrust), Ben Wilson (Mozilla), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Clint Wilson (Apple), Corey Bonnell (Digicert), Dean Coclin (Digicert), Doug Beattie (GlobalSign), Dustin Ward (SSL.com), Enrico Entschew (D-TRUST), Fumi Yoneda (Japan Registry Services), Heather Warncke (Amazon), Hogeun Yoo (NAVER), Hubert Chao (Google), Inaba Atsushi (GlobalSign), Inigo Barreira (Sectigo), Joanna Fox (TrustCor Systems), Johnny Reading (GoDaddy), Karina Sirota (Microsoft), Kati Davids (GoDaddy), Khairil Nizam Abdul Malek (MSC Trustgate Sdn Bhd), Kiran Tummala (Microsoft), Mads Henriksveen (Buypass AS), Marcelo Silva (Visa), Martijn Katerbarg (Sectigo), Michelle Coon (OATI), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rae Ann Gonzales (GoDaddy), Rebecca Kelley (Apple), Renne Rodriguez (Apple), Ryan Dickson (Google), Stephen Davidson (Digicert), Tim Hollebeek (Digicert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Tyler Myers (GoDaddy), Wendy Brown (US Federal PKI Management Authority), Yoshiro Yoneya (Japan Registry Services)

Minutes

1. Read Antitrust Statement

Jos Purvis read the antitrust statement.

2. Roll Call

Stephen read the roll.

3. Review Agenda

No changes were made to the agenda.

4. Approval of Minutes from Last Teleconference

The last meeting was at the March F2F, so there are no meeting minutes to approve.

Jos said that the minutes from the last face-to-face are ready for review except for one session, so please review them and we will approve this portion of the F2F meeting minutes during our next call.

5. Validation Subcommittee Update

Corey provided a summary of the last call. It was a brief call where we discussed 2 topics

  1. The Profile ballot work is currently being done in one person’s GitHub repo and we discussed if we should move this to allow edits to be made more freely.

  2. We discussed changes to the EV Enterprise RA wording and also the “3-second” rule for CRL downloads. For those that want more information, please see the draft notes for this meeting send out by Doug.

6. NetSec Subcommittee Update

Clint said there was not much to report and that the NetSec transition is about complete.

7. Ballot Status

Ballots in Discussion Period

None

Ballots in Voting Period

  • Ballot SC-54 v2: Onion Cleanup

Ballots in Review Period

  • Ballot SC51 – Reduce and Clarify Log and Records Archival Retention Requirements
  • Ballot SC53 – Sunset for SHA-1 OCSP Signing
  • Chris Kemmerer noted that there was renewed interest in the Debian weak key ballot at the F2F, so in the next couple of weeks he will be bringing that back as a new ballot.

8. Any Other Business

None

9. Next call: March 31, 2022 at 11AM Eastern

Adjourn; Immediately convene meeting of CA Browser Forum (same call)

Latest releases
Server Certificate Requirements
SC095v3: Clean-up 2025 - Apr 2, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Related posts
Tags
Minutes Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).