CA/Browser Forum
Home » All CA/Browser Forum Posts » 2023-02-09 Minutes of the Code Signing Certificate Working Group

2023-02-09 Minutes of the Code Signing Certificate Working Group

Attendees

Andrea Holland (VikingCloud), Atsushi Inaba (GlobalSign), Ben Dewberry (Keyfactor), Brianca Martin (Amazon Trust Services), Bruce Morton (Entrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Ian McMillan (Microsoft), Inigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Mohit Kumar (GlobalSign), Roberto Quinones (Intel), Rollin Yu (TrustAsia), Tim Crawford (WebTrust), Tim Hollebeek (DigiCert)

Minutes

  1. Antitrust statement read
  2. Approval of minutes: Jan 26th minutes have not been sent out
  3. Ballot: Malware base revocation (Martijn)
  • Received some pushback on the mailing list.
  • Discussion from Martijn K., Bruce M., Ian M., and Tim H. around revamping the entire revocation section.
  • Agreed to pull revocation sections from the TLS and SMIME BRs and removing unnecessary items and added necessary sections like backdating and revocation investigations.
  1. Ballot: Signing Service Update (Bruce)
  • Previous action item was to change the definition of Signing Service to align what a signing service does and its models.
  • Proposed definition- **Subscriber Key Protection Service**: An organization that generates the Key Pair and securely generates and manages the Private Key associated with a Subscriber’s Code Signing Certificate.
  • Discussion from Bruce M., Tim H., Ian M., Inigo B., and Martijn K. on the requirements for signing service: who generates, who activates, who stores, how it is stored and how is it managed. Discussion around adjusting the name from Signing Service to Subscriber Key Protection Service as the focus of the Signing Service is on protection not the artifact being signed.
  • Next step is to close out the comments, push through the new definition, get a second proposal, and effective date.
  1. Ballot: Remove SSL BR References – tabled discussion
  2. Other business – F2F prep

  • Top 3 Goals are being worked on

      1. Revocation ballot
  1. Subscriber Key Protection Service ballot
  2. SSL BR reference ballot
    • Additional goals:
      1. timestamp updates

  1. high risk applicants

  2. validity period

  3. shorter lived certificates

  4. certificate transparency

  5. Next Meeting – Potentially cancel the meeting on 23 February

  6. Adjourn

Latest releases
Server Certificate Requirements
SC099: Improve Recording of Validation Methods - May 19, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Related posts
Tags
Code Signing Minutes
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).