Home » All CA/Browser Forum Posts » 2025-08-21 Minutes of the Code Signing Certificate Working Group

2025-08-21 Minutes of the Code Signing Certificate Working Group

Certificate Signing Certificate Working Group (CSCWG) – Meeting Minutes

Date: August 21, 2025

1. Note Well

The Note Well was read.

2. Review of Agenda

No additions requested.

3. Interested Party Application: Joshua Garrett

IPR received. No objections on the call. Application approved.

4. Discussion Topics

a) Progress update on Validity Reduction ballot

Nate (Microsoft): Still seeking a second endorser; thread was sent a few weeks ago.
Scott Rea (eMudhra): Likely to endorse; will confirm within a day after reviewing additional info.
Next steps: Upon second endorsement, start the discussion period.

b) SC-Alignment ballot – Microsoft concerns on OCSP

Karina (Microsoft): Will draft proposed changes regarding OCSP items and circulate for pre-discussion.
Group discussed options:
- Split OCSP changes into a separate ballot, restart alignment ballot without them, or
- Incorporate Microsoft’s edits into a single revised ballot.
Karina to send draft; group to decide path based on feedback.

c) Request from external parties to present at the next F2F

Proposed speakers:
- Royal Canadian Mounted Police (RCMP)
- Canadian Centre for Cyber Security (CCCS)
- Private-sector partner / security researcher (prefers pseudonymous handle)
General support from the group to invite them (topic: malware and the impact of code signing).
Discussion on participation terms:
- Historically, invited guests observers only (not part of discussions); IPR typically not required.
- New “invited experts agreement” may apply; status to be checked.
Next steps: Martijn to raise at Forum level (with Dean) to confirm process/agreements; proceed with invitations absent objections.
Clarification: Researcher is pseudonymous, not attempting anonymity.

5. Any Other Business

Suggestion to work through backlog:

Cleanup ballot(s)
Alignment ballot(s)
Review open GitHub issues

6. Adjourn

Attendees

Brianca Martin (Amazon), Brian Winters (IdenTrust), Dean Coclin (DigiCert), Inaba Atsushi (GlobalSign), Karina Sirota (Microsoft), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Luis Cervantes (SSL.com), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nate Santiago (Microsoft), Nome Huang (TrustAsia), Rebecca Kelly (SSL.com), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases

Server Certificate Requirements
SC095v3: Clean-up 2025 - Apr 2, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025