Home » All CA/Browser Forum Posts » 2025-08-21 Minutes of the Code Signing Certificate Working Group

2025-08-21 Minutes of the Code Signing Certificate Working Group

Certificate Signing Certificate Working Group (CSCWG) – Meeting Minutes

Date: August 21, 2025

1. Note Well

The Note Well was read.

2. Review of Agenda

No additions requested.

3. Interested Party Application: Joshua Garrett

IPR received. No objections on the call. Application approved.

4. Discussion Topics

a) Progress update on Validity Reduction ballot

Nate (Microsoft): Still seeking a second endorser; thread was sent a few weeks ago.
Scott Rea (eMudhra): Likely to endorse; will confirm within a day after reviewing additional info.
Next steps: Upon second endorsement, start the discussion period.

b) SC-Alignment ballot – Microsoft concerns on OCSP

Karina (Microsoft): Will draft proposed changes regarding OCSP items and circulate for pre-discussion.
Group discussed options:
- Split OCSP changes into a separate ballot, restart alignment ballot without them, or
- Incorporate Microsoft’s edits into a single revised ballot.
Karina to send draft; group to decide path based on feedback.

c) Request from external parties to present at the next F2F

Proposed speakers:
- Royal Canadian Mounted Police (RCMP)
- Canadian Centre for Cyber Security (CCCS)
- Private-sector partner / security researcher (prefers pseudonymous handle)
General support from the group to invite them (topic: malware and the impact of code signing).
Discussion on participation terms:
- Historically, invited guests observers only (not part of discussions); IPR typically not required.
- New “invited experts agreement” may apply; status to be checked.
Next steps: Martijn to raise at Forum level (with Dean) to confirm process/agreements; proceed with invitations absent objections.
Clarification: Researcher is pseudonymous, not attempting anonymity.

5. Any Other Business

Suggestion to work through backlog:

Cleanup ballot(s)
Alignment ballot(s)
Review open GitHub issues

6. Adjourn

Attendees

Brianca Martin (Amazon), Brian Winters (IdenTrust), Dean Coclin (DigiCert), Inaba Atsushi (GlobalSign), Karina Sirota (Microsoft), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Luis Cervantes (SSL.com), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nate Santiago (Microsoft), Nome Huang (TrustAsia), Rebecca Kelly (SSL.com), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases

Server Certificate Requirements
SC092: Sunset use of Precertificate Signing CAs - Nov 4, 2025

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.12 - Ballot SMC014 - Oct 13, 2025

This ballot introduces requirements that a Certificate Issuer MUST deploy DNSSEC validation back to the IANA DNSSEC root trust anchor on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective, effective March 15, 2026. The ballot is intended to maintain consistency in the S/MIME Baseline Requirements with the requirements of Ballot SC-085 which implemented identical requirements in the TLS Baseline Requirements. Note: SC-085 also introduced requirements in TLS Baseline Requirements for the use of DNSSEC in domain control validation. These requirements are automatically adopted in the S/MIME BR by the email domain control methods that include a normative reference to section 3.2.2.4 of the TLS Baseline Requirements. The draft also includes minor corrections to web links in the text. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Client Wilson (Apple) and Ashish Dhiman (GlobalSign).

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025