CA/Browser Forum
Home » All CA/Browser Forum Posts » 2026-05-21 Minutes of the Forum

2026-05-21 Minutes of the Forum

Minutes:

Meeting Metadata

  • Meeting Title: CA/Browser Forum Date: 21 May 2026
  • Chair: Dimitris Zacharopoulos
  • Minutes Taken By: Wayne Thayer

1. Begin Recording - Roll Call

2. Reading of Note-well

The Note-Well was read

3. Review of Agenda

No changes

4. Minutes approval

  • April 9th - Approved
  • April 23rd - Approved
  • May 7th - Atsushi Inaba posted the following corrections in chat:

Code Signing Certificate WG Update (Martijn)

  • One active ballot currently in the voting phase for making use of timestamping service requirements mandatory
  • ⇒ not “making use of timestamping service requirements mandatory” but “making use of Reserved Policy OID mandatory in Code Signing certificates”

Any other Business (Dean)

  • Vienna Meeting Update: Dates are confirmed for October 22-24, Location will be central Vienna (TBD), Further logistical details will be shared once finalized.
  • ⇒ not “October” but “September”

Minutes were approved with the noted changes.

5. Server Certificate SC Update (Dimitris)

  • Discussion on the ML-DSA ballot
  • Concerns raised about scalability of the CT ecosystem.

5.1 Validation WG(Corey)

  • Last week the Subcommittee discussed Rich Smith’s DNSSEC clarification ballot.
  • Ballot discussions will continue at the next meeting..

6. Code Signing Certificate WG Update (Martijn)

  • Code signing and time stamping OID ballot is in IPR review.
  • Server Certificate alignment ballot will re-enter discussion period next week now that all concerns have been addressed.

7. S/MIME Certificate WG update (Stephen)

  • SMC017 (increase minimum RSA key size) ballot was in the voting period when new concerns were raised. Ballot withdrawn, is being updated with a minimum key size of RSA 3072 with carve outs for certain types of certificates, e.g. delegated OCSP responder certs.
  • Pseudonym ballot is in progress with updates to tagging and uniqueness requirements.

8. NetSec WG update (Clint)

  • Ballot NS-009 discussion around different CA operating environment definitions and the interactions with things like log systems.
  • Trevoli Ponds-White said that she, Martijn, and Roman will work on a location definition that reflects the status quo..

9. Definitions and Glossary WG update (Tim H.)

A document classifying existing definitions from all the BRs was sent out for review this week.

10. Forum Infrastructure Subcommittee update (Jos)

No meeting since the last Forum meeting.

11. IPR Update (Ben)

  • Ben Wilson hasn’t tallied the percentage of signed agreements, but 49 have been submitted.
  • Ben expressed concerns over quorum.
  • Ben reminded members that they will be suspended from voting if they have not submitted their updated IPR agreement by June 1. They can still participate in meetings. 3 months later their membership is revoked.
  • Dimitris said that he and Dean will work with Ben to send out reminders next week.

13. Any other Business (Dimitris)

  • CA Presentations for June 4th Meeting: 4 CAs, 1 auditor submission so far
  • Control Based Audits Compared to Other Audits Testing Approach Sampling Methods and Procedures (Lilia Dubko)
  • Digital Identity for Agentic AI (Jason Soroko)
  • Merkle Tree Certs. Why they’re important, how they work, their standardization status, their implementation status, and our own experience implementing them as a CA.(Aaron Gable)
  • 2 others have not been confirmed, will probably be moved to a future meeting
  • Next F2F meeting is Vienna, Sept 22-24
  • Location is Vienna Parliament
  • Hotel details will be provided soon.

14. Next Call (Dimitris)

June 4th (Will be dedicated to CA presentations – 1.5hrs. No updates from WGs)

15. Adjourn

Attendees

Aaron Gable (Let’s Encrypt), Aaron Poulsen (SSL.com), Adam Fiock (SSL.com), Adam Jones (Microsoft), Adriano Santoni (Actalis S.p.A.), Andrea Holland (IdenTrust), Arman Asemani (Apple), Ben Wilson (Mozilla), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Cynethia Brown (US Federal PKI Management Authority), Daryn Wright (Apple), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Apple), Eric Kramer (Sectigo), Ethan Davis (Google), Georgy Sebastian (Amazon), Gregory Tomko (GlobalSign), Gurleen Grewal (Google), Hogeun Yoo (NAVER Cloud Trust Services), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Jaime Hablutzel (OISTE Foundation), Janet Hines (SSL.com), Jeanette Snook (Visa), John Mason (Microsoft), Johnny Reading (GoDaddy), Jos Purvis (Fastly), Jun Okura (Cybertrust Japan), Karina Sirota (Microsoft), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Kiran Tummala (Apple), Li-Chun Chen (Chunghwa Telecom), Lilia Dubko (CPA Canada/WebTrust), Luis Osses (Amazon), Lynn Jeun (Visa), Martijn Katerbarg (Sectigo), Matthew McPherrin (Let’s Encrypt), Michelle Coon (OATI), Miguel Sanchez (Google), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rebecca Kelly (SSL.com), Rich Smith (DigiCert), Rob White (GoDaddy), Roman Fischer (SwissSign), Sándor Szőke (Microsec), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tathan Thacker (IdenTrust), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Tsung-Min Kuo (Chunghwa Telecom), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)

Latest releases
Server Certificate Requirements
SC098: Process RFC 8657 CAA Parameters - Jun 16, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).