Home » All CA/Browser Forum Posts » 2025-08-21 Minutes of the Code Signing Certificate Working Group

2025-08-21 Minutes of the Code Signing Certificate Working Group

Certificate Signing Certificate Working Group (CSCWG) – Meeting Minutes

Date: August 21, 2025

1. Note Well

The Note Well was read.

2. Review of Agenda

No additions requested.

3. Interested Party Application: Joshua Garrett

IPR received. No objections on the call. Application approved.

4. Discussion Topics

a) Progress update on Validity Reduction ballot

Nate (Microsoft): Still seeking a second endorser; thread was sent a few weeks ago.
Scott Rea (eMudhra): Likely to endorse; will confirm within a day after reviewing additional info.
Next steps: Upon second endorsement, start the discussion period.

b) SC-Alignment ballot – Microsoft concerns on OCSP

Karina (Microsoft): Will draft proposed changes regarding OCSP items and circulate for pre-discussion.
Group discussed options:
- Split OCSP changes into a separate ballot, restart alignment ballot without them, or
- Incorporate Microsoft’s edits into a single revised ballot.
Karina to send draft; group to decide path based on feedback.

c) Request from external parties to present at the next F2F

Proposed speakers:
- Royal Canadian Mounted Police (RCMP)
- Canadian Centre for Cyber Security (CCCS)
- Private-sector partner / security researcher (prefers pseudonymous handle)
General support from the group to invite them (topic: malware and the impact of code signing).
Discussion on participation terms:
- Historically, invited guests observers only (not part of discussions); IPR typically not required.
- New “invited experts agreement” may apply; status to be checked.
Next steps: Martijn to raise at Forum level (with Dean) to confirm process/agreements; proceed with invitations absent objections.
Clarification: Researcher is pseudonymous, not attempting anonymity.

5. Any Other Business

Suggestion to work through backlog:

Cleanup ballot(s)
Alignment ballot(s)
Review open GitHub issues

6. Adjourn

Attendees

Brianca Martin (Amazon), Brian Winters (IdenTrust), Dean Coclin (DigiCert), Inaba Atsushi (GlobalSign), Karina Sirota (Microsoft), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Luis Cervantes (SSL.com), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nate Santiago (Microsoft), Nome Huang (TrustAsia), Rebecca Kelly (SSL.com), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases

Server Certificate Requirements
SC095v3: Clean-up 2025 - Apr 2, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.13 - Ballot SMC015v2 - Mar 28, 2026

This ballot introduces requirements that a CA or RA must follow to rely upon a Mobile Drivers License (mDL) to provide evidence for the authentication of individual identity. It allows the use of mDL that conform to ISO/IEC 18013-5 and which may be verified by the CA or RA in conformance with ISO/IEC 18013-7. The CA or RA shall only accept mDL from an Issuing Authority that is legally authorized by the relevant government or jurisdiction to issue driving licenses. The draft also aligns the subsections of 3.2.4.2 (Validation of individual identity) to correspond more closely with those in 3.2.4.1 (Attribute collection of individual identity). It also includes minor editorial corrections. SMC015v2 was updated to remove an additional reference to the superceded ETSI EN 319 403. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Ben Wilson (Mozilla) and Scott Rea (eMudhra).

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025