CA/Browser Forum
Home » All CA/Browser Forum Posts » 2026-06-17 Minutes of the S/MIME Certificate Working Group

2026-06-17 Minutes of the S/MIME Certificate Working Group

Minutes of SMCWG

June 17, 2026

These are the Minutes of the meeting described in the subject of this message. Corrections and clarifications where needed are encouraged by reply.


  1.       Roll Call 
    

  1.       Note well:  Antitrust / Compliance Statement
    

  1.       Approval of past minutes
    
  • June 3 deferred

Minutes were taken by Stephen Davidson.


  1.       Review Agenda 
    

  1.       Membership
    

  1.        Discussion
    
    • Stephen Davidson noted that SMC017v2 was in formal discussion period: https://cabforum.org/2026/06/16/ballot-smc-017v2/ through June 23. Dustin Hollenback requested a diff between the old and new versions of the ballot.
    • Stephen walked through the text of SC-103 which re-addressed the TLS BR handling of cross certificates to match the stricter constraints proposed by CCADB Policy 6.3. Stephen asked if a similar update was required for the S/MIME BR. Martijn Katerbarg noted that the S/MIME BR had not yet adopted the “tabular” style of certificate profiles that was later adopted in the TLS BR, so an implementation would be more text driven. Technical challenges arose due to audio issues during the meeting. Stephen said that he was uncertain how frequently cross-certificates were used in S/MIME, and Ben Wilson agreed to look into the CCADB filings. Stephen proposed bringing draft text for consideration following a review of Ben’s data.
    • Stephen said the TLS BR had recently consolidated its references to CAA from various locations, into one location, while also updating the CAA parameters requirement. The WG will need to implement that parameters requirement, and may reconsider our own approach to implementing the CAA requirements (i.e., if the TLS BR text is sufficiently generalized to allow an inward pointer or if the S/MIME BR require a separate statement of the same facts in order to vary certain items for our use case).

  1.       Ballot Status Updates
    
    • In Development: Pseudonym, cross-cert restrictions, CAA updates
    • In Discussion Period: Ballot SMC017v2: Increase Minimum RSA CA Key Size
    • In Voting Period: NA
    • Under IPR Review: NA
    • Approved and Effective: Ballot SMC016: Equivalence with Ballots SC096 and SC097(May 5)

  1.       Next meeting:
    
    • Wednesday, July 1, 2026 at 11:00 am Eastern time

  1.        Any other business
    

  1.    Adjourn
    

Attendees:

Aaron Poulsen (SSL.com), Adam Fiock (SSL.com), Adriano Santoni (Actalis S.p.A.), Albert de Ruiter (Logius PKIoverheid), Andrea Holland (IdenTrust), Andy Warner (Google), Arman Asemani (Apple), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Dustin Hollenback (Apple), Florian Oprea (TeleTrust), Guillaume Amringer (Carillon Information Security Inc.), Hazhar Ismail (MSC Trustgate Sdn Bhd), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Janet Hines (SSL.com), Jozef Nigut (Disig), Judith Spencer (CertiPath), Malcolm Idaho (IdenTrust), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Pedro Fuentes (OISTE Foundation), Pekka Lahtiharju (Telia Company), Rollin Yu (TrustAsia), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stefan Selbitschka (rundQuadrat), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

Latest releases
Server Certificate Requirements
SC098: Process RFC 8657 CAA Parameters - Jun 16, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).