CA/Browser Forum
Home » All CA/Browser Forum Posts » 2025-07-31 Minutes of the Server Certificate Working Group

2025-07-31 Minutes of the Server Certificate Working Group

Minutes of the CA/BF ServerCert Working Group, 2025-07-31

Administrivia

  • Minutes taken by Aaron Gable
  • Recording started
  • Attendance taken by Webex
  • Note-well read by Wayne Thayer
  • Agenda (shared by Dmitris Zacharopoulos) approved
  • Prior minutes
    • 2025-04-10 teleconference (taken by Trevoli Ponds-White): approved
    • 2025-07-17 teleconference (taken by Scott Rea): not yet distributed
  • Membership applications
    • Joshua Garrett approved as individual Interested Party

Ballot Status

In discussion period

  • SC086: Sunset the Inclusion of Address and Routing Parameter Area Names
    • No updates at this time

In IPR review period

  • SC089: Mass Revocation Planning

Recently published guidelines

  • SC085: Require DNSSEC for CAA and DCV Lookups
    • Published as TLS BR v2.1.6

Drafts

  • SC087: Registration Number Improvement for EV Certificates
    • Corey Bonnell: no updates at this time
  • SC088: Persistent DNS DCV
    • Michael Slaughter: no updates at this time
    • Wayne Thayer: planning to move this into discussion period soon
  • SC0XX: Process RFC 8657 CAA Parameters
    • Wayne Thayer: was on hold until SC085 passed, now ready to proceed
  • SC0XX: Validation method in TLS Certificates
    • Clint Wilson: no updates at this time

Topic: Debian Weak Keys

  • Martijn Katerbarg: Planning to add P-521 Weak Keys to the CABF Debian Weak Keys repository
  • This is not a new requirement; any CAs issuing P-521 certs should have generated these themselves already

Any Other Business

  • Next call 2025-08-28
    • August 14 is cancelled due to no available chairs

Attendees

Aaron Gable (Let’s Encrypt), Aaron Poulsen (Amazon), Alvin Wang (SHECA), Ben Wilson (Mozilla), Brianca Martin (Amazon), Chad Dandar (Cisco Systems), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Cynethia Brown (US Federal PKI Management Authority), Daryn Wright (Apple), Dean Coclin (DigiCert), Doug Beattie (GlobalSign), Gregory Tomko (GlobalSign), Inaba Atsushi (GlobalSign), Iori Kondo (Cybertrust Japan), Jaime Hablutzel (OISTE Foundation), Jeanette Snook (Visa), Jeff Ward (CPA Canada/WebTrust), Johnny Reading (GoDaddy), Josselin Allemandou (Certigna (DHIMYOTIS)), Jun Okura (Cybertrust Japan), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Kate Xu (TrustAsia), Lucy Buecking (IdenTrust), Luis Cervantes (SSL.com), Mahua Chaudhuri (Microsoft), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Masaru Sakamoto (Cybertrust Japan), Matthew McPherrin (Let’s Encrypt), Michelle Coon (OATI), Mrugesh Chandarana (IdenTrust), Nate Smith (GoDaddy), Nicol So (CommScope), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Peter Miskovic (Disig), Rebecca Kelly (SSL.com), Rich Smith (DigiCert), Rollin Yu (TrustAsia), Roman Fischer (SwissSign), Ryan Dickson (Google), Scott Rea (eMudhra), Sean Huang (TWCA), Stephen Davidson (DigiCert), Sven Rajala (Keyfactor), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases
Server Certificate Requirements
SC099: Improve Recording of Validation Methods - May 19, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Related posts
Tags
Minutes Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).