CA/Browser Forum
Home » All CA/Browser Forum Posts » 2026-06-18 Minutes of the Server Certificate Working Group

2026-06-18 Minutes of the Server Certificate Working Group

Minutes:

  1. Roll Call – from recording

We also had the following persons present:

Naresh Charugundla (Microsoft), Rajeev Mohindra (Microsoft), Logan Mabe (Microsoft) who were not registered in the Member’s tool.

  1. Read note-well

The note-well was read by Dimitris.

  1. Review of Agenda

The Agenda as provided on list prior to the call (see above).

  1. Minutes
  • June 4, 2026 (Draft minutes were distributed on 2026-06-16) – are Approved
  1. Membership Applications
  • No current Applications to review.
  1. Ballot Status

Ballot moved to V2 with substantive change being effective date in 3.2.2.5.3. A couple of other editorial updates also. Expected to go to discussion period tomorrow.

This ballot discussed on the list, but not yet in this meeting. This ballot is prompted by an incident that lets Encrypt had a few weeks ago in which they issued some certificates that were in compliance with the profiles specified in the BRs, but not in compliance with the profile requirements specified in the CCADB policy. The goal is to migrate profiles from CCADB to the BRs with a particular focus on EKUs in cross-certified subCAs.

Some key elements include: EKUs present but NOT Critical, and no longer such a thing as “unrestricted EKU” – this is expected to be a much simpler table to validate compliance with what CCADB already requires.

An extended discussion ensued which highlighted concerns about EKU requirements and interoperability challenges. Participants emphasized the need for clarity in definitions related to cross certificates and EKUs. EKU chaining is deemed reasonable for governance, but lacks clear agreements and documentation.

Current EKU usage primarily follows the 5280 standard, limiting its application in intermediate CA certificates.

Vagueness in the CCADB Policy is embodied in two elements: 1) CCADB defines cross certificates as only being relevant when the subject CA is operated by a different CA owner which doesn’t match with BRs definition; 2) and the EKU restrictions associated with dedicated hierarchies not actually having practical alignment with the individual root programs, and potentially creating interoperability challenges.

With CCADB Steering Committee members as endorsers of this ballot, it is expected to have the right buy in for CCADB once final BR adjustments are considered and made.

Tadahiko expressed a desire to consider EKU chaining as per RFC 5280 model – as that relates to Aaron’s proposed SC103. This will take further exploration on the list.

  1. Any other business

None.

  1. Next Call

Next call is July 2nd, 2026.

  1. Meeting Adjournment

Meeting adjourned.

Attendees

Aaron Gable (Let’s Encrypt), Aaron Poulsen (SSL.com), Andrea Holland (IdenTrust), Antti Backman (Telia Company), Arman Asemani (Apple), Arno Fiedler (ETSI), Ben Wilson (Mozilla), Chad Dandar (Cisco Systems), Corey Rasmussen (OATI), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Apple), Ethan Davis (Google), Georgy Sebastian (Amazon), Gregory Tomko (GlobalSign), Hazhar Ismail (MSC Trustgate Sdn Bhd), Hogeun Yoo (NAVER Cloud Trust Services), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Janet Hines (SSL.com), Jun Okura (Cybertrust Japan), Karina Sirota (Microsoft), Li-Chun Chen (Chunghwa Telecom), Lilia Dubko (CPA Canada/WebTrust), Lucy Buecking (IdenTrust), Luis Osses (Amazon), Mahua Chaudhuri (Microsoft), Martijn Katerbarg (Sectigo), Masaru Sakamoto (Cybertrust Japan), Michelle Coon (OATI), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Paul van Brouwershaven (Digitorus), Peter Miskovic (Disig), Polina Glazyrina (Sectigo), Rebecca Kelly (SSL.com), Rob White (GoDaddy), Rollin Yu (TrustAsia), Roman Fischer (SwissSign), Sándor Szőke (Microsec), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Wiktoria Więckowska (Asseco Data Systems SA (Certum)).

Latest releases
Server Certificate Requirements
SC098: Process RFC 8657 CAA Parameters - Jun 16, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).