CA/Browser Forum
Home » All CA/Browser Forum Posts » 2026-04-08 Minutes of the S/MIME Certificate Working Group

2026-04-08 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

April 8, 2026

These are the Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.


  1.       Roll Call 
    

  1.       Note well:  Antitrust / Compliance Statement
    

  1.       Approval of past minutes
    
  • Minutes of March 25 were deferred.

Minutes were taken by Stephen Davidson.


  1.       Review Agenda 
    

  1.       Membership
    

Stephen Davidson noted that Carillon had requested that its membership be changed to Interested Party.


  1.        Discussion
    

Stephen Davidson noted that the SBR had been updated on March 26 to v1.0.13. He also noted that Ballot SMC016 had been approved and was in IPR until May 1.

The WG discussed the draft ballot on RSA step up, proposed by DigiCert and endorsed by Mozilla and SwissSign. The ballot would become SMC017.

The WG reviewed recommendations and requirements from the underlying standards (such as NIST and ECCG). Inigo Barreira noted that some EU countries had extended the ECCG deadline into 2026.

The WG discussed whether the step up from 2048 to 3072 was adequate. Following discussion it was decided to change the target size for roots and subCAs to 4096. It was decided to leave the level for end entity certs at 2048 but to add language in the ballot saying that this would be addressed in a future ballot, to provide guidance for client software. An alternative would be to include an extended future step up date for end entity certs.

The WG discussed the “stop issuance date” for existing CAs with smaller RSA keys. The WG agreed that a transition period was preferable but it was expressed that 2027 was more suitable than 2028. Stephen agreed to update the draft.

https://github.com/cabforum/smime/compare/be9a18ab2b48eb0cbff41d3a268202f700c06c05...a90411aa2a7d2279692c21a35597a950cc9f37c7

The WG continued the discussion of whether the SBR should be tied to the “strictest of the combined root store requirements” or if it should allow flexibility or a “superset”. Ben Wilson noted that the TLS BR had been revised at one point to the “strictest” but it had since varied (for example, the TLS BR still allow clientAuth even though at least one root program will deprecate it).

Stephen shared a chart describing the distribution of S/MIME roots across the various programs, which does show a diverse distribution.

The WG decided to revisit the topic following the update of the Apple policy. Ben agreed to assist in pulling data of EKU from CCADB that might contribute to that consideration.


  1.       Ballot Status Updates
    
    • In Development: RSA step up to 3072
    • In Discussion Period: NA
    • In Voting Period: NA
    • Under IPR Review: until May 1, Ballot SMC016: Equivalence with Ballots SC096 and SC097
    • Approved and Effective: SMC015v2: Allow mDL for authentication of individual identity (March 27 2026)

  1.       Next meeting:
    
    • Wednesday, April 22, 2026 at 11:00 am Eastern time

  1.        Any other business
    

  1.    Adjourn
    

Attendees:

Adam Folson (IdenTrust), Adriano Santoni (Actalis S.p.A.), Albert de Ruiter (Logius PKIoverheid), Andreas Henschel (D-TRUST), Andy Warner (Google), Arman Asemani (Apple), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Dustin Hollenback (Apple), Guillaume Amringer (Carillon Information Security Inc.), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Janet Hines (SSL.com), Jozef Nigut (Disig), Judith Spencer (CertiPath), Karolina Ruszczyńska (Asseco Data Systems SA (Certum)), Mrugesh Chandarana (IdenTrust), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Patrick Patterson (Carillon Information Security Inc.), Peter Miskovic (Disig), Rollin Yu (TrustAsia), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases
Server Certificate Requirements
SC098: Process RFC 8657 CAA Parameters - Jun 16, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).