cabforum · XolphinMartijn · Apr 15, 2026 · Apr 15, 2026
@@ -0,0 +1,47 @@
+---
+date: 2025-12-11 00:00:00
+tags:
+  - Minutes
+  - Code Signing
+title: 2025-12-11 Minutes of the Code Signing Certificate Working Group 
+type: post
+---
+
+# Code Signing Working Group – Meeting Minutes  
+**Date:** 11 December  
+
+## 1. Antitrust Reminder (Note Well)
+The Note Well was read
+
+## 2. Review of Agenda
+
+## 3. Approval of Minutes
+November 13th Meeting Minutes were approved
+Face-to-Face (F2F) Meeting Minutes were approved
+
+## 4. Discussion Topics
+
+### 4.1 SC-Alignment Ballot – Microsoft OCSP Concerns
+- No Microsoft representatives were present on the call.
+- No updates were observed on the mailing list regarding Microsoft’s OCSP-related concerns.
+- Topic tabled until Microsoft provides an update.
+
+### 4.2 Post-Quantum Cryptography (PQC)
+- The topic remains on the agenda at the request of Brianca (Amazon)
+- Discussion noted that progress is largely dependent on Microsoft’s platform direction and support.
+
+### 4.3 Code Signing – Next Steps (Single Profile)
+- Identified consolidation into a single code signing profile (merging Code Signing and EV Code Signing) as a major project for the coming year.
+- A working branch tracking proposed updates to the Code Signing Baseline Requirements (CSBRs) has been created
+- Rewrite and review CSBR sections incrementally (approximately one section per month).
+
+## 5. Any Other Business
+None
+
+## 6. Adjourn
+
+## 7. Next Meeting
+**Date:** 8 January  
+
+## Attendees
+Brian Winters (IdenTrust), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Wiktoria Więckowska (Asseco Data Systems SA (Certum))
@@ -0,0 +1,59 @@
+---
+date: 2026-01-08 00:00:00
+tags:
+  - Minutes
+  - Code Signing
+title: 2026-01-08 Minutes of the Code Signing Certificate Working Group 
+type: post
+---
+
+# Code Signing Working Group – Meeting Minutes  
+**Date:** 8 January 2026  
+
+## 1. Antitrust Reminder (Note Well)
+The Note Well was read
+
+## 2. Review of Agenda
+- An additional item was added: **Interested Party Application**.
+
+## 3. Discussion Topics
+
+### Interested Party Application
+- An application was received from **Digital Berry**, a CLM and token management system provider based in France.
+- Dean confirmed the application was complete and properly signed by a senior representative.
+- No objections were raised by the working group.
+
+### SC-Alignment Ballot – Microsoft OCSP Concerns
+- No representatives from Microsoft were present.
+- No updates had been received via the mailing list.
+- Given the lack of new information, this topic was skipped.
+
+### Post-Quantum Cryptography (PQC)
+- Brianca (Amazon) confirmed there were no updates on PQC.
+- Microsoft was not present to provide any platform-related updates.
+
+### Migration to a Single Code Signing Profile  
+- The Chair presented initial work toward migrating to a single code signing profile, merging Code Signing and EV Code Signing.
+- Work has begun on Sections 1 and 2 of the Code Signing Baseline Requirements (CSBRs), using a branch-based workflow rather than a formal PR at this stage.
+- Key points discussed:
+  - Likely need to move to a new major version (e.g., v4.0).
+  - Proposal to allow the existing requirements until a TBD cutoff date, after which only the single profile would be permitted.
+  - Maintaining both old and new requirements in one document was viewed as impractical.
+  - Proposal to deprecate the EV Code Signing policy OID and move to a single OID.
+  - Most changes so far are structural (removal of EV references, minor corrections).
+  - Significant concern was raised about proceeding without active Microsoft participation:
+  - Microsoft is currently the primary consumer of code signing certificates.
+  - Risk of misalignment with Microsoft expectations, similar to prior issues (e.g., OCSP requirements).
+  - Consensus that meaningful progress requires Microsoft engagement.
+
+## 4. Any Other Business
+- It was noted that Microsoft representatives have been absent for three consecutive meetings.
+- It was agreed that Microsoft should be reminded of the purpose of the working group and the importance of their participation.
+
+## 5. Adjourn
+
+## 6. Next Meeting
+**Date:** 5 February 2026 
+
+## Attendees
+Brianca Martin (Amazon), Brian Winters (IdenTrust), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Nome Huang (TrustAsia), Wiktoria Więckowska (Asseco Data Systems SA (Certum))
@@ -0,0 +1,42 @@
+---
+date: 2026-02-05 00:00:00
+tags:
+  - Minutes
+  - Code Signing
+title: 2026-02-05 Minutes of the Code Signing Certificate Working Group 
+type: post
+---
+
+# Code Signing Working Group – Meeting Minutes  
+# Minutes
+
+Tom led the discussion as Martijn was unable to attend.
+
+Tom read the Note Well.
+
+## OCSP discussion for Servercert alignment ballot
+
+Karina is discussing internally at Microsoft on how best to proceed. She plans to send an update to the group in the next few days.
+
+## Migration to single profile
+
+Tom said sections 1 and 2 of the proposal are available on Github. Tom led the group through the proposal. No concerns were raised on the changes. Corey said it would be good to discuss overall goal before discussing concrete language changes.
+
+Karina said that Microsoft wants more widespread use of code signing but provides strong identity. In particular, the validation should be closer to EV than OV.
+
+Karina said she is working on a ballot that removes phone validation, as methods with durable proof is preferred.
+
+Inigo suggested looking into eIDAS for validation for code signing certificates.
+
+## Topics for F2F
+
+Karina said she will send out the proposal for removing phone validation and it can be discussed at the F2F. Corey suggested discussing the single profile at the F2F.
+
+## Other business
+
+The group agreed to meet on February 19th to discuss the F2F agenda.
+
+Meeting adjourned. The next meeting will be February 19th.
+
+## Attendees
+Brian Winters (IdenTrust), Corey Bonnell (DigiCert), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Karina Sirota (Microsoft), Luis Cervantes (SSL.com), Marco Schambach (IdenTrust), Nome Huang (TrustAsia), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tim Crawford (CPA Canada/WebTrust), Wiktoria Więckowska (Asseco Data Systems SA (Certum))
@@ -0,0 +1,96 @@
+---
+date: 2026-03-26 00:00:00
+tags:
+  - Minutes
+  - Forum
+title: 2026-03-26 Minutes of the Forum
+type: post
+---
+
+**Minutes:**
+
+## CA/B Forum plenary Meeting - March 26, 2026
+
+### Minutes
+
+#### Begin Recording - Roll Call
+
+- Recording started
+- Read note-well
+  - Read the note-well at SCWG prior
+
+#### Review of Agenda
+
+- No changes
+
+#### Approval of minutes
+
+- February 26th (Martijn) - (Draft minutes have not been distributed yet)
+- Please submit F2F minutes on Etherpad.
+
+#### Server Certificate Working Group update (Dimitris)
+
+- Went over face-to-face agenda and ballot updates at 02/26 meeting
+- Face-to-face minutes are being compiled yet
+- Capturing BR version at DCV time.  Working Group opined that requirement should be replaced with something else - Aaron Gable to propose the change (aligned with expectations of:  Proper documentation, accountability, change management).
+- CP/CPS Content Consistency - gave examples where they were vague vs explicit.  More explicit leads to more chances of falling into non-compliance and having to revoke.  Captured the CA/B Forum expectations and how to proceed forward with improvements.
+- Revocation Timelines and CP/CPS consistency - alternative proposal to have CAs document which areas are allowed to have more flexibility and have a different revocation timeline (or no revocation at all as long as it is stricter than the BRs) - will be sent in F2F minutes.
+- Availability of resources such as CRL distribution points; repository; OCSP URLs; etc.  Rules are vague now.  CAs might implement settings to prevent abuse and DOS attacks (geolocation blocking, etc).  Feedback to be captured in F2F meeting minutes and then see what next steps are based on that feedback.
+- Validation Subcommittee - Corey Bonnell
+  - ADN Ballot updates - Reached consensus, ballot should be about ready to go after some minor updates.
+  - Scott Rae presented on making more concrete guidance on Reliable Data Sources.  Scott to create draft ballot proposal.
+  - DNSSEC - whether or not you have to check whether or not domain zone was secured with DNSSEC if one of the domain's parents was not.  If you know the parent was not, you do not have to check the child because you know it was not.  May be ballot language drafted for this.
+
+#### Code Signing Certificate Working Group update (Martijn)
+
+- Face-to-Face presentation by Karina for Microsoft's vision for code-signing working group and ecosystem.  Proposals to make it more available for individual developers and make it open source as well.  Increase strength for authentication validation and remove human factor.
+
+#### S/MIME Certificate Working Group update (Stephen)
+
+- SMC015 MDL Ballot will come out of IPR 03/27/2026.  New SMIME BR to be posted after.
+- SMC016 Equivalence Ballot with SCWG now in voting through next week.
+- Ongoing discussion on two items
+  - Moving forward with a ballot to increase the minimum RSA key size for SMIME Sub-CAs - draft link is out.
+  - Potential changes to Root Program policies and how those impact SMIME BRs or SMIME CAs and what they may need to do going forward.  Included in SMIME meeting minutes.
+
+#### NetSec Working Group update (Clint)
+
+- Met Tuesday, 03/24.
+- NetSec Modernization Work - Determined Miguel will work on proposal for first steps of modernization effort.
+- Cloud Services Logging/Infrastructure use - CoreyB to update his proposal for next meeting in two weeks.
+
+#### Definitions and Glossary Working Group (Tim H.)
+
+- No Update.
+
+#### Forum Infrastructure Subcommittee update (Jos)
+
+- Ben Wilson provided update:
+  - Updating text of CA/B Forum website - request for volunteers.
+
+#### IPR Subcommittee (Ben)
+
+- Received call from member of IPR Review Subcommittee - section 4.5 of IPR Policy and new participants and whether they had the rights to raise historic claims or not.  Ben reviewing to ensure proper response.  If no change, will close discussion on 03/31.  if changes needed, will release version 2 for 7 day review period.  Let Ben know of comments so he can batch it at the same time.
+
+#### Any Other Business
+
+- F2F Meeting Schedule:
+  - 2026
+    1. Vienna, Austria - September 22-24 - eMuhdra (Location to be confirmed)  Registration is open on website now
+  - 2027
+    1. Scottsdale, AZ - Spring 2027 - Sectigo
+    2. Switzerland - Fall 2027 - SwissSign
+  - 2028
+    1. Shanghai, China - Spring 2028 - TrustAsia (tentative)
+    2. Thessaloniki, GR (or Identrust) - Fall 2028 - HARICA (tentative) or Identrust
+
+#### Next call
+
+April 9th
+
+#### Adjourn
+
+TimC:  meeting adjourned.
+
+### Attendees
+Adam Jones (Microsoft), Arman Asemani (Apple), Ben Wilson (Mozilla), Chris Clements (Google), Chya-Hung Tsai (TWCA), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Cynethia Brown (US Federal PKI Management Authority), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Apple), Eric Kramer (Sectigo), Gurleen Grewal (Google), Hogeun Yoo (NAVER Cloud Trust Services), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Jaime Hablutzel (OISTE Foundation), Janet Hines (SSL.com), Jeanette Snook (Visa), Jeff Ward (CPA Canada/WebTrust), John Mason (Microsoft), Jozef Nigut (Disig), Jun Okura (Cybertrust Japan), Karina Sirota (Microsoft), Karolina Ruszczyńska (Asseco Data Systems SA (Certum)), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Lilia Dubko (CPA Canada/WebTrust), Lucy Buecking (IdenTrust), Martijn Katerbarg (Sectigo), Masaru Sakamoto (Cybertrust Japan), Matthew McPherrin (Let's Encrypt), Michelle Coon (OATI), Mrugesh Chandarana (IdenTrust), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Puja Sehgal (Microsoft), Rich Smith (DigiCert), Roman Fischer (SwissSign), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Stephen Davidson (DigiCert), Steven Deitte (GoDaddy), Tadahiko Ito (SECOM Trust Systems), Tathan Thacker (IdenTrust), Tim Callan (Sectigo), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority).