CA/Browser Forum
Home » All CA/Browser Forum Posts » 2025-12-17 Minutes of the S/MIME Certificate Working Group

2025-12-17 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

December 17, 2025

These are the Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.

1. Roll Call

2. Note well: Antitrust / Compliance Statement

3. Approval of past minutes

The following minutes were approved:

  • NA

Minutes provided by Stephen Davidson.

4. Review Agenda

5. Membership

NA

6. Discussion

  • The WG discussed issues that were arising for TLS certificates being used in SMTP Authentication. Starting in June 2026 Chrome root program begins restricting multi-EKU certificates. Starting in 2028, Mozilla will also move towards dedicated hierarchies. This means that certificates that have both id-kp-serverAuth + id-kp-clientAuth will ultimately not be allowed.

  • Stephen Davidson said SMTP isn’t a browser, but the policy changes apply to SMTP certificates if issued from browser-trusted hierarchies. SMTP infrastructure relies on such combination certificates for bidirectional authentication.

  • SMTP with STARTTLS (RFC 3207) describes dual-role requirements:

    • Server role: Present certificate during inbound connection (requires serverAuth)
    • Client role: Authenticate to downstream MTAs requiring client certs (requires clientAuth)

  • Current deployment patterns focus heavily on a single certificate with both EKUs per SMTP server. Several CAs reported customer enquiries regarding how these certificates will be issued following the Chrome deprecation of clientAuth.

  • Stephen said that the case was clearly adjacent to the SMCWG’s interests, and that it appeared there was a gap in standards and/or policy for SMTP MTA-to-MTA certificates. He said that there may be motivation to use private-but-widely-adopted hierarchies like X.9. Martijn Katerbarg said their broadly were low standards for authentication cert vetting, which may explain the preference for TLS.

  • Stephen said that confusion surrounding SMTP certs may be accelerated if the issue is not addressed.

  • Stephen said that he was not aware of any analysis of actual use in SMTP software, including whether SMTP software could support separate server/client certificates. He also said that it was difficult to ascertain the scale of the issue, or the makeup of public vs private. The group estimated that hundreds of thousands of such certificates are in current use. He asked for assistance in determining that background. Andy Warner said that large cloud email platforms would have access to such data, and said that he would try to get access to high-level counts. Stephen thanks him and welcomed such non-granular information from other email providers.

  • Ashish Dhiman raised the question of EKU and validity periods in the Multipurpose profiles. Stephen said that no change was envisaged at this time. Rebecca Kelly said that some CAs were dealing with the issue by using hierarchies that are “public-trust-other-than-Chrome”. Stephen noted that the fragmentation of root program rules was creating complexity on hierarchy choices.

  • Stephen asked for feedback from the WG. It was noted that many mail servers were Linux and appeared to rely upon NSS. Ben Wilson noted the past blog post by Kathleen Wilson noting that NSS was intended as a webPKI root store. It was discussed that more information is required in order to decide applicability with this WG, or if it was more appropriate for another WG.

  • Stephen noted that the WG would return to the topic, and would also proceed with the ballots for pseudonyms and mDL in early 2026. He welcomed proposals for topics from both CAs and from Certificate Consumers, and thanked WG members for their participation in 2025.

7. Next meeting:

  • January 14, 2025 at 11 am Eastern . December 31 meeting is cancelled.

8. Any other business

NA

9. Adjourn

Attendees:

Adam Folson (IdenTrust), Albert de Ruiter (Logius PKIoverheid), Andy Warner (Google), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Guillaume Amringer (Carillon Information Security Inc.), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Jozef Nigut (Disig), Judith Spencer (CertiPath), Malcolm Idaho (IdenTrust), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Pekka Lahtiharju (Telia Company), Rebecca Kelly (SSL.com), Rich Smith (DigiCert), Rollin Yu (TrustAsia), Russ Housley (Vigil Security LLC), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stefan Selbitschka (rundQuadrat), Stephen Davidson (DigiCert), Thomas Zermeno (SSL.com), Tim Crawford (CPA Canada/WebTrust), Wendy Brown (US Federal PKI Management Authority), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases
Server Certificate Requirements
SC090: Gradually sunset all remaining email-based, phone-based, and ‘crossover’ validation methods from Sections 3.2.2.4 and 3.2.2.5 - Jan 14, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.12 - Ballot SMC014 - Oct 13, 2025

This ballot introduces requirements that a Certificate Issuer MUST deploy DNSSEC validation back to the IANA DNSSEC root trust anchor on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective, effective March 15, 2026. The ballot is intended to maintain consistency in the S/MIME Baseline Requirements with the requirements of Ballot SC-085 which implemented identical requirements in the TLS Baseline Requirements. Note: SC-085 also introduced requirements in TLS Baseline Requirements for the use of DNSSEC in domain control validation. These requirements are automatically adopted in the S/MIME BR by the email domain control methods that include a normative reference to section 3.2.2.4 of the TLS Baseline Requirements. The draft also includes minor corrections to web links in the text. This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Client Wilson (Apple) and Ashish Dhiman (GlobalSign).

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Related posts
Tags
Minutes S/MIME
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).