2025-08-27 Minutes of the S/MIME Certificate Working Group
Minutes of SMCWG
August 27, 2025
These are the Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.
1. Note Well and Antitrust Statement
2. Roll Call
- Taken from recording. See “Attendees” below.
3. Approval of Prior Minutes
- Minutes from July 30 were approved.
- Minutes were taken by Stephen Davidson.
4. Agenda Review
- The agenda was reviewed. There were no additions.
5. Membership Applications
- None
6. Discussion Topics
* Topic 1: SMC013 PQC for S/MIME was adopted August 22
* Topic 2: Final check in on charter update
https://github.com/cabforum/forum/pull/71
Stephen Davidson noted the both the S/MIME BR and this charter update identify WebTrust for S/MIME 1.0.0 or newer as one of the eligible audits supporting a Certificate Issuer’s membership. He noted that the current version is 1.0.8 and asked if it should be updated. Luis Cervantes supported updating them.
Scott Rea and Judith Spencer said that it may not be necessary to quote version numbers and that it might suffice to say “current version”. Stephen said that might have timing issues and perhaps “current version for the audit period”. Clint Wilson said that WebTrust firms would automatically use the current version, and that an update would be nice but was not essential.
* Topic 3: SMC014 Require DNSSEC for CAA (maintaining equivalency with TLS BR, SC-085)
Stephen noted that ballot SMC014 had been in discussion for two weeks and that he was prepared to move it to ballot as early as today. He walked through the contents of the ballot with the WG. In addition to the DNSSEC changes, the ballot includes several updates to RFC internet links, for consistency across the document.
Several minor changes were suggested to the text, so Stephen agreed to extend the discussion for another week.
https://github.com/cabforum/smime/issues/275
7. Ballot Status Updates (if applicable)
* In Development: Pseudonym, mDL
* In Discussion Period: SMC014: DNSSEC for CAA
* In Voting Period: NA
* Under IPR Review: NA
* Approved and Effective: SMC013 PQC for S/MIME (as of August 22)
8. Next Meeting
Date: Wednesday, September 10 2025 at 11:00 am Eastern Time.
9. Any Other Business
Stephen noted that the group would return to the topic of pseudonyms and noted that as previously agreed, he’d reach out to Scott and Judith for assistance in drafting a proposal to support the idea of “org pseudonyms”.
Scott Rea said that in his conversations with analysts there was feedback that they wished the CABF would take a more vocal role in providing guidance for PQC. Stephen said that our role was largely focused on issuing certificates, but that the CABF could certainly be more active in talking about automation, which would be a vital underpinning to PQC transitions. Scott said that he believed PQC may become relevant to S/MIME (as messages are stored) sooner than other cert types.
The WG had a discussion of the variables of PQC roadmaps. Stephen noted that he wished there was more information available from OS and Certificate Consumer mail clients on their view of the PQC rollout, and asked associated members if they would be willing to speak with the group.
Stephen noted that Martijn would be leading the September 10 meeting.
10. Adjournment
- The meeting was adjourned.
11. Attendees
Adrian Mueller (SwissSign), Adriano Santoni (Actalis S.p.A.), Andy Warner (Google), Ashish Dhiman (GlobalSign), Clint Wilson (Apple), Guillaume Amringer (Carillon Information Security Inc.), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Jozef Nigut (Disig), Judith Spencer (CertiPath), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Kiran Tummala (Microsoft), Luis Cervantes (SSL.com), Malcolm Idaho (IdenTrust), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Peter Miskovic (Disig), Rebecca Kelly (SSL.com), Renne Rodriguez (Apple), Rollin Yu (TrustAsia), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stefan Selbitschka (rundQuadrat), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tim Huff (Microsoft), Wiktoria Więckowska (Asseco Data Systems SA (Certum))