Final minutes for the Server Certificate Working Group teleconference - September 25, 2025

[Dimitris Zacharopoulos (HARICA)]

These are the final minutes of the teleconference described in the subject of this message, prepared by Clint Wilson.

## Meeting Date:

- 2025-09-25

## Attendees: 

Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Abdul Hakeem Putra (MSC Trustgate Sdn Bhd), Adam Jones (Microsoft), Alvin Wang (SHECA), Antti Backman (Telia Company), Ben Wilson (Mozilla), Brianca Martin (Amazon), Chad Dandar (Cisco Systems), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dean Coclin (DigiCert), Gregory Tomko (GlobalSign), Hogeun Yoo (NAVER Cloud Trust Services), Inaba Atsushi (GlobalSign), Janet Hines (VikingCloud), Jeanette Snook (Visa), Jun Okura (Cybertrust Japan), Karina Goodley (Microsoft), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Kate Xu (TrustAsia), Luis Cervantes (SSL.com), Marcelo Silva (Visa), Martijn Katerbarg (Sectigo), Matthew McPherrin (Let's Encrypt), Michael Slaughter (Amazon), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nicol So (CommScope), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Peter Miskovic (Disig), Rollin Yu (TrustAsia), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Sven Rajala (Keyfactor), Tadahiko Ito (SECOM Trust Systems), Tathan Thacker (IdenTrust), Thomas Zermeno (SSL.com), Tim Hollebeek (DigiCert), Tobias Josefowitz (Opera Software AS), Tsung-Min Kuo (Chunghwa Telecom), Wayne Thayer (Fastly).

## Note Well:

- Read by Wayne Thayer

## Review of Agenda:

- No additions or changes.

## Approval of Minutes:

- September 11, 2025 Teleconference (Draft minutes were distributed on 2025-09-11) approved.

## Membership Applications: 

- No objections with Özkan Kara (SKBS UG) joining as an individual Interested Party.

## Clarification on BRs 2.2 Compliance for Test Web Pages (Cross-Certification Scenario): 

Wayne Thayer initiated a discussion regarding a question from ONO Fumiaki at SECOM about BR section 2.2, which requires CAs to host test webpages. The specific scenario involved a cross-certification where an older root is cross-signed by a newer root. Is it acceptable for the test website's leaf certificate to be issued by the newer root that chains back to the older root?

- Corey Bonnell and Aaron Gable supported this interpretation, noting that it meets the spirit of the requirement by allowing for testing of the browser's path-building algorithm. Aaron Gable added that it is not technically possible to force a browser to validate a specific path, as it may use cached intermediates to build a different, valid chain.

- Ben Wilson raised a related point about testing new roots during the inclusion process, where his test tools need to validate a chain up to the specific new root being applied for, not a cross-signed alternative.

- Tim Hollebeek noted that the language is ambiguous due to the inconsistent use of "CA" (organization vs. certificate) and agreed the requirement should be clarified.

- Action Item: Wayne Thayer will create a GitHub issue to review and clarify the language and purpose of BR Section 2.2, ensuring it aligns with modern practices and root store policies. (https://github.com/cabforum/servercert/issues/618)

## F2F#66: SCWG topics for discussion: 

- Ben Wilson proposed a discussion on revocation reason codes, with the goal of refining the categories in BR sections 4.9.1.1 and 7.2.2. He plans to circulate a draft proposal to the mailing list. The topic was added to the F2F agenda.

- Members were reminded to send any additional topic proposals to Dimitris Zacharopoulos.

## Ballot Status: 

- SC090: This ballot is likely waiting for the resolution of SC-088.

- SC087: This ballot is pending the completion of SC-086.

- SC086: Sunset the Inclusion of Address and Routing Parameter Area Names. Corey Bonnell reported the ballot has been re-scoped to focus only on prohibiting issuance for reverse DNS zones (e.g., ip6.arpa). He is awaiting endorser feedback before restarting the discussion period.

- SC088: Michael Slaughter has published version 3 of the ballot incorporating community feedback. He hopes to move to a voting period as early as next week if no major issues are raised.

- SC092: Sunset of Precertificate Signing CAs; no update.

## Any Other Business: 

- The next two SCWG calls, scheduled for October 9 and October 23, 2025 are canceled due to the upcoming F2F meeting.

- No other business was discussed.

## Adjourn