CA/Browser Forum
Home » All CA/Browser Forum Posts » 2026-06-03 Minutes of the S/MIME Certificate Working Group

2026-06-03 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

June 3, 2026

These are the Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.


  1.       Roll Call 
    

  1.       Note well:  Antitrust / Compliance Statement
    

  1.       Approval of past minutes
    
  • May 20

Minutes were taken by Stephen Davidson.


  1.       Review Agenda 
    

  1.       Membership
    

  1.        Discussion
    
    • Stephen Davidson noted the updated signatures were due from members for the CABF intellectual property agreement (communicated separately on the Forum mailing lists).
    • Stephen also noted that CABF elections would take place in the autumn and reminded members interested in taking leadership roles in the woring groups to contact the Forum chair.
    • Scott Rea provided details of the location for the upcoming CABF F2F in Vienna in September.
    • Martijn Katerbarg presented an updated draft based upon the outcome of the discussion on May 20: https://github.com/cabforum/smime/pull/304. The notable changes were 1) the text relaxes requirement to cease issuance after the September 2027 to CAs using RSA keys smaller than 3072 bits (down from 4096), and 2) specified what certificates are impacted at that date (i.e., it applies to leaf/Subscriber certificates rather than cross-certificates or delegated OCSP responder certficates). The WG concurred with the change.
    • It was noted that the SBR sometimes used curve448 versus Curve448. It was agreed to make the capitalization consistent.
    • It was agreed that SMC017v2 would move to formal discussion.

  1.       Ballot Status Updates
    
    • In Development: Ballot SMC017v2: Increase Minimum RSA CA Key Size, Pseudonym
    • In Discussion Period: NA
    • In Voting Period: NA
    • Under IPR Review: NA
    • Approved and Effective: Ballot SMC016: Equivalence with Ballots SC096 and SC097 (May 5)

  1.       Next meeting:
    
    • Wednesday, June 17, 2026 at 11:00 am Eastern time

  1.        Any other business
    

  1.    Adjourn
    

Attendees:

Adriano Santoni (Actalis S.p.A.), Andrea Holland (IdenTrust), Andy Warner (Google), Arman Asemani (Apple), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Chya-Hung Tsai (TWCA), Dustin Hollenback (Apple), Guillaume Amringer (Carillon Information Security Inc.), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Judith Spencer (CertiPath), Lilia Dubko (CPA Canada/WebTrust), Malcolm Idaho (IdenTrust), Martijn Katerbarg (Sectigo), Morad Abou Nasser (TeleTrust), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Pedro Fuentes (OISTE Foundation), Rollin Yu (TrustAsia), Russ Housley (Vigil Security LLC), Scott Rea (eMudhra), Sean Huang (TWCA), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tim Crawford (CPA Canada/WebTrust), Wendy Brown (US Federal PKI Management Authority), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases
Server Certificate Requirements
SC098: Process RFC 8657 CAA Parameters - Jun 16, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).