Home » All CA/Browser Forum Posts » 2025-12-18 Minutes of the Forum

2025-12-18 Minutes of the Forum

Final Minutes for CA/B Forum Plenary Meeting 2025-12-18

Minutes:

Opening:
- Dean Coclin (DigiCert) confirmed the recording was on and the Notewell was read.
- Attendance was taken.
- Minutes from December 4th were not yet released and would be addressed with Eva.
Working Group Updates:
- Server Certificate Working Group:
  - Dimitris Zacharopoulos (HARICA) provided an update: The WG reviewed open issues on GitHub, with many being incorporated into the cleanup ballot. Discussions led to progress and consensus on a path forward for several issues.
  - Wayne Thayer (Fastly) provided an update on the previous Validation Subcommittee meeting. They continued discussion on Jacob Hoffman Andrew’s pull request to update the definition of ADN, which involves substantial changes to section 3.2.2.4 and is moving in the right direction. In that call, Clint also proposed a ballot regarding the use of RDAP in the EV Guidelines, as the guidelines only specified WHOIS. The conclusion was that since the definition of WHOIS includes the RDAP protocol in the Baseline Requirements, only a clarification was needed, and this would be added to the cleanup ballot.
- Code Signing Certificate Working Group:
  - Martijn Katerbarg (Sectigo) reported a short call last week with limited participants, so there was no significant update. He hoped for more traction next year.
- S/MIME Certificate Working Group:
  - Martijn Katerbarg (Sectigo) reported on the previous month’s call where the main topic was client authentication for SMTP servers. It was unclear if there was an impact on the ecosystem or if it slightly overlapped with the Server Certificate WG. No real details were decided on the direction for this topic.
- NetSec Working Group: No update.
- Definitions and Glossary Working Group: No update.
- Forum Infrastructure Subcommittee: Ben Wilson (Mozilla) stated that there had not been a call recently, so there was no update.
Any Other Business:
- Dean Coclin (DigiCert) mentioned he received feedback on his proposal for a Member Emeritus category. He acknowledged the concerns and will come up with an alternative, providing an update after the new year.
- January 1st Meeting Cancellation: Dean Coclin (DigiCert) explained that he had attempted to cancel the 2026-01-01 meeting in the Webex account, but it had disappeared from the Webex portal, though it might still show on attendees’ calendars. He asked anyone with the invite on their calendar for 2026-01-01 to please delete it, as the meeting is not happening. Dimitris Zacharopoulos (HARICA) suggested adjusting recurring meeting dates, and Ben Wilson (Mozilla) speculated it might have been created before the CA/B Forum Webex account.
- Dean Coclin (DigiCert) also provided an update on the F2F Meeting in Houston, TX, from 2026-03-10 to 2026-03-12. Arrangements are progressing, and he encouraged attendees to register.
Next Call & Adjournment:
- The next call will be on 2026-01-15.
- Dean Coclin (DigiCert) wished everyone a Happy New Year, Merry Christmas, and happy holidays, then adjourned the meeting.

Attendees:

Aaron Gable (ISRG)
Aaron Poulsen (Amazon Trust Services)
Adam Jones (Microsoft)
Adriano Santoni (Actalis)
Alvin Wang (SHECA)
Antti Backman (Telia Company)
Arman Asemani (Apple)
Atsushi INABA (GlobalSign)
Ben Wilson (Mozilla)
Brianca Martin (Amazon)
Brittany Randall (GoDaddy)
Chris Clements (Chrome)
Dean Coclin (DigiCert)
Dimitris Zacharopoulos (HARICA)
Dustin Hollenback (Apple)
Greg Tomko (GlobalSign)
Inigo Barreira (Sectigo)
Jaime Hablutzel (WISeKey)
Jun Okura (Cybertrust)
Kate Xu (TrustAsia)
Kateryna Aleksieieva (Certum by Asseco)
Luis Cervantes (SSL.com)
Mahua Chaudhuri (Microsoft)
Marco Schambach (IdenTrust)
Martijn Katerbarg (Sectigo)
Michelle Coon (OATI)
Mrugesh Chandarana (IdenTrust)
Nargis Mannan (Viking Cloud)
Nate Smith (GoDaddy)
Nome Huang (TrustAsia)
ONO Fumiaki (SECOM Trust Systems)
Paul van Brouwershaven (Digitorus)
Peter Miskovic (Disig)
Rich Smith (DigiCert)
Scott Rea (eMudhra)
Sean Huang (TWCA)
Steven Deitte (GoDaddy)
Sven Rajala (Keyfactor)
Tadahiko ITO (SECOM)
Tathan Thacker (IdenTrust)
Tim Callan (Sectigo)
Tobias Josefowitz (Opera)
Thomas Zermeno (SSL.com)
Trevoli Ponds-White (Amazon Trust Services)
Wayne Thayer (Fastly)
Wendy Brown (FPKIMA)

Latest releases

Server Certificate Requirements
SC099: Improve Recording of Validation Methods - May 19, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025