CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-04-21 Minutes of the Code Signing Certificate Working Group

2022-04-21 Minutes of the Code Signing Certificate Working Group

Attendees

Atsushi Inaba (GlobalSign), Ben Wilson (Mozilla), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dimitris Zacharopoulos (HARICA), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Joanna Fox (TrustCor), Martijn Katerbarg (Sectigo), Michael Sykes (SSL.com), Roberto Quinones (Intel), Tim Crawford (CPA Canada/WebTrust)

Minutes

Antitrust Statement: Read by Bruce Morton

Minute Taker: Martijn Katerbarg

Minutes of the April 7th meeting were approved.

Ballot for CSBR Format Change

There was a discussion on when the discussion period for the format change should start and whether we should wait until the IPR review period of ballot CSC-13 has completed or not.

Dimitris mentioned we might need 2 redlined versions if we do, one in case the IPR period completes successfully, and one if it doesn’t. The group agrees this seem like a lot of extra work and not the way we want to move forward.

There was consensus on that we could start drafting the ballot and start a two week pre-ballot discussion based on that, after which the IPR review period of CSC-13 has passed. After this, a 7 day official discussion period can be started. Corey will take this and move forward in this way.

A question followed on how we created the redline when we did the format change on the TLS BRs. Dimitris referred to where a mapping document was used to make the conversion table.

Ballot for High Risk (Bruce/Ian)

Ian brought up our High Risk language. The way it’s written at current, doesn’t make sense with the changes CSC-13 will bring come November 15. Bruce previously sent a draft for simplified language to Ian. Bruce described the changes and will be sending the draft out to the mailing list for everybody to review.

The goal is to resolve this conflict before November 15th, with a ballot process starting when the CSBR Format Change has been completed.

Other Business

Except for a quick additional comment on the CSBR Format Change item, there was no Other Business.

The next meeting is set for May 5th.

Adjourned

Latest releases
Server Certificate Requirements
SC095v3: Clean-up 2025 - Apr 2, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Related posts
Tags
Code Signing Minutes
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).