Home » All CA/Browser Forum Posts » 2025-08-27 Minutes of the S/MIME Certificate Working Group

2025-08-27 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

August 27, 2025

These are the Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

1. Note Well and Antitrust Statement

2. Roll Call

Taken from recording. See “Attendees” below.

3. Approval of Prior Minutes

Minutes from July 30 were approved.
Minutes were taken by Stephen Davidson.

4. Agenda Review

The agenda was reviewed. There were no additions.

5. Membership Applications

None

6. Discussion Topics

* Topic 1: SMC013 PQC for S/MIME was adopted August 22

* Topic 2: Final check in on charter update

https://github.com/cabforum/forum/pull/71

Stephen Davidson noted the both the S/MIME BR and this charter update identify WebTrust for S/MIME 1.0.0 or newer as one of the eligible audits supporting a Certificate Issuer’s membership. He noted that the current version is 1.0.8 and asked if it should be updated. Luis Cervantes supported updating them.

Scott Rea and Judith Spencer said that it may not be necessary to quote version numbers and that it might suffice to say “current version”. Stephen said that might have timing issues and perhaps “current version for the audit period”. Clint Wilson said that WebTrust firms would automatically use the current version, and that an update would be nice but was not essential.

* Topic 3: SMC014 Require DNSSEC for CAA (maintaining equivalency with TLS BR, SC-085)

Stephen noted that ballot SMC014 had been in discussion for two weeks and that he was prepared to move it to ballot as early as today. He walked through the contents of the ballot with the WG. In addition to the DNSSEC changes, the ballot includes several updates to RFC internet links, for consistency across the document.

Several minor changes were suggested to the text, so Stephen agreed to extend the discussion for another week.

https://github.com/cabforum/smime/issues/275

https://github.com/cabforum/smime/compare/59687c5e3835f889cdbb0ff0f0a24cfffc684084...dcd4ea338d796f2875da3ea015dc585dcde431c7

7. Ballot Status Updates (if applicable)

*  In Development:  Pseudonym, mDL
*  In Discussion Period: SMC014: DNSSEC for CAA
*  In Voting Period: NA
*  Under IPR Review: NA
*  Approved and Effective: SMC013 PQC for S/MIME (as of August 22)

8. Next Meeting

Date: Wednesday, September 10 2025 at 11:00 am Eastern Time.

9. Any Other Business

Stephen noted that the group would return to the topic of pseudonyms and noted that as previously agreed, he’d reach out to Scott and Judith for assistance in drafting a proposal to support the idea of “org pseudonyms”.

Scott Rea said that in his conversations with analysts there was feedback that they wished the CABF would take a more vocal role in providing guidance for PQC. Stephen said that our role was largely focused on issuing certificates, but that the CABF could certainly be more active in talking about automation, which would be a vital underpinning to PQC transitions. Scott said that he believed PQC may become relevant to S/MIME (as messages are stored) sooner than other cert types.

The WG had a discussion of the variables of PQC roadmaps. Stephen noted that he wished there was more information available from OS and Certificate Consumer mail clients on their view of the PQC rollout, and asked associated members if they would be willing to speak with the group.

Stephen noted that Martijn would be leading the September 10 meeting.

10. Adjournment

The meeting was adjourned.

11. Attendees

Adrian Mueller (SwissSign), Adriano Santoni (Actalis S.p.A.), Andy Warner (Google), Ashish Dhiman (GlobalSign), Clint Wilson (Apple), Guillaume Amringer (Carillon Information Security Inc.), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Jozef Nigut (Disig), Judith Spencer (CertiPath), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Kiran Tummala (Microsoft), Luis Cervantes (SSL.com), Malcolm Idaho (IdenTrust), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Peter Miskovic (Disig), Rebecca Kelly (SSL.com), Renne Rodriguez (Apple), Rollin Yu (TrustAsia), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stefan Selbitschka (rundQuadrat), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tim Huff (Microsoft), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases

Server Certificate Requirements
SC-089: Mass Revocation Planning - Aug 26, 2025

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.12 - Ballot SMC014 - Oct 13, 2025

This ballot introduces requirements that a Certificate Issuer MUST deploy DNSSEC validation back to the IANA DNSSEC root trust anchor on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective, effective March 15, 2026. The ballot is intended to maintain consistency in the S/MIME Baseline Requirements with the requirements of Ballot SC-085 which implemented identical requirements in the TLS Baseline Requirements. Note: SC-085 also introduced requirements in TLS Baseline Requirements for the use of DNSSEC in domain control validation. These requirements are automatically adopted in the S/MIME BR by the email domain control methods that include a normative reference to section 3.2.2.4 of the TLS Baseline Requirements. The draft also includes minor corrections to web links in the text. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Client Wilson (Apple) and Ashish Dhiman (GlobalSign).

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025