CA/Browser Forum
Home » All CA/Browser Forum Posts » 2026-04-23 Minutes of the Server Certificate Working Group

2026-04-23 Minutes of the Server Certificate Working Group

Minutes:

Begin Recording - Roll Call

Recording started

Read note-well

Dimitris read the note-well

Review of Agenda

No changes

Approval of Minutes

  • February 26, 2026 minutes approved without objection
  • F2F#67 March 10, 2026 minutes also approved

Membership applications

Cigan Joseph, Interested Party - approved

Nova Vanguard Technology Corporation, Interested party - approved

Wayne Thayer will contact and inform the applicants of their acceptance.

Ballot Status

Current status of Ballots:

  • SC098 (RFC 8657 CAA parameters): In discussion period; awaiting Wayne’s review of comments from Fastly representative Shiloh Heurich
  • SC099 (Improved recording of validation method): Completed; IPR review ends May 18, 2026
  • SC87 (EV registration number improvement): Waiting for EV guidelines cleanup ballot to exit IPR (ends May 2)
  • SC101 (Clarify authorization domain names): Ready for pre-discussion period; Aaron delayed due to workload
  • Certificate problem reports ballot (Martijn): In progress; awaiting second endorser and addressing questions from Rich/Dimitris
  • MLDSA keys ballot: Google Trust Services (Gurleen) submitted a pull request; will collaborate with Corey’s October 2024 proposal on post-quantum algorithms

GitHub open issues

  • Closed ~20-30 cleanup issues linked to last cleanup ballot
  • Current status: 67 open issues in total; only 7 tagged as cleanup
  • Members encouraged to triage, add context, and take ownership of remaining issues

Other Business

  • Ballot number reservation procedure: Dimitris to draft wiki documentation on new process allowing reservation with written proposals and share with management list
  • Unknown Pull Request (E3NO) - Gurleen’s colleague from Google Trust Services

Adjourn

Next meeting: May 7, 2026

Attendees

Aaron Gable (ISRG), Adam Folsom (IdenTrust), Antti Backman (Telia Company), Antti Backman (Telia Company), Antti Backman (Telia Company), Antti Backman (Telia Company), Atsushi INABA (GlobalSign), Ben Wilson (Mozilla), Benjamin (ChungHwa Telecom), Chris Clements (Google Chrome), Clint Wilson (Apple), Corey Bonnell (DigiCert), Daryn Wright (Apple), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Apple), Enrico Entschew (D-Trust), Greg Tomko (GlobalSign), Gurleen Grewal (GTS), Hazhar Ismail (MSC Trustgate), Hogeun Yoo (NAVER Cloud Trust Services), Inigo Barreira (Sectigo), Jaime Hablutzel (WISekey), Janet Hines (SSL.com), Jeff Ward (Aprio), Johnny Reading (GoDaddy), Jos Purvis (Fastly), Jun Okura (Cybertrust), Karolina Ruszczynska (Certum), Kateryna Aleksieieva (Certum by Asseco), Lilia Dubko (CPA Canada), Lucy Buecking (IdenTrust), Luis Osses (Amazon Trust Services), Mahua Chaudhuri (Microsoft), Martijn Katerbarg (Sectigo), Matthew McPherrin (ISRG), Michelle Coon (OATI), Mrugesh Chandarana (IdenTrust), Nate Smith (GoDaddy), Nome Huang (TrustAsia), ONO Fumiaki (SECOM), Peter Miskovic (Disig), Rob White (GoDaddy), Rollin Yu (TrustAsia), Roman Fischer (SwissSign), Sándor Szöke (Microsec), Scott Rea (eMudhra), Sean Huang (TWCA), Stephen Davidson (DigiCert), Tadahiko ITO (SECOM), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tobias Josefowitz (Opera), Trevoli Ponds-White (Amazon Trust Services), Tsung-Min Kuo (Chunghwa Telecom), Wayne Thayer (Fastly).

Latest releases
Server Certificate Requirements
SC099: Improve Recording of Validation Methods - May 19, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Related posts
Tags
Minutes Server Certificates
Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).