Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
851 views
Skip to first unread message
Aaron Gable
Apr 10, 2026, 3:30:33 PM (12 days ago) Apr 10
to server...@groups.cabforum.org
Ballot SC-099: Improve Recording of Validation Methods
This ballot is written by Aaron Gable (ISRG / Let's Encrypt) and endorsed by Gurleen Grewal (Google Trust Services), Trev Ponds-White (Amazon Trust Services), and Roman Fischer (SwissSign).
Summary of the Ballot
Remove ambiguous language from Section 3.2.2.4 and 3.2.2.5 requiring that CAs "record" the "relevant BR version number" when performing validation.
Replace this with unambiguous language in Section 5.4.1, requiring that CAs specifically audit log the information being validated and what validation method they are using to do so.
The new language has an Effective Date of July 15, 2026, giving CAs two months from the expected end of this ballot's IPR period to comply.
Background of the Ballot
The current BRs contain the following text in Sections 3.2.2.4 and 3.2.2.5:
> CAs SHALL maintain a record of which [domain/IP] validation method, including relevant BR version number, they used to validate every [domain/IP Address].
This text is problematic for four reasons:
- it only applies to domains and IP addresses, not other things being validated like organization information;
- the requirement to "maintain a record" is unclear (in audit logs? in a database? in a document?);
- no one is sure what the "relevant BR version" is (the effective version when the validation happened? the version that the validation process believes it implements?); and
- the text is not in Section 5.4.1, which is where the BRs concentrate requirements about recording information.
To resolve these issues, we need to start from first principles. The goal, as evidenced by discussion when this requirement was introduced and recollections of CA/BF members who were participating at the time, is to ensure that CAs and auditors are able to definitively identify the validation process with which the CA was required to comply for any given validation.
To determine what rules governed any given validation, we need two pieces of information:
1. When they performed that validation. The current requirements in Section 5.4.1 already require the CA to audit log the time of every verification procedure.
2. What validation method the CA used. This ballot augments Section 5.4.1 to also require that the CA audit log the validation method used, as well as other useful information.
Because we can accomplish the goal with a small addition to Section 5.4.1, this ballot removes the current text from Sections 3.2.2.4 and 3.2.2.5.
Note that this ballot removes the requirement to "record" the "relevant BR version number". This is not considered a loss, for several reasons:
- No CA or auditor should be relying on a logged BR version number to determine which version of the BRs governed the validation. The logged version number is not enforceable; the only information which can be relied upon to map a validation to a BRs version is the time at which the validation was performed.
- If a new version of the BRs adds requirements to a validation method, but gates those new requirements behind a future effective date, the logged version number may indicate that the CA complies with that new version long before the CA has actually implemented the soon-to-be-required behavior.
- If a new version of the BRs adds requirements to a validation method immediately upon the new version becoming effective, then a CA must update their processes to comply before the new version of the BRs is even published, and therefore the logged version number will be out-of-date compared to the implemented behavior.
- Part of the original motivation behind these statements was to encourage CAs to actually read new versions of the BRs and ensure their processes comply with them. We now have other mechanisms to encourage this behavior, such as CCADB self-assessments.
Therefore we conclude that recording the relevant BRs version number is neither useful nor well-specified, and therefore should not be included in the BRs.
This issue was discussed on Mozilla dev-security-policy@ (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/x4zRcboSDwU) as well as at the CA/BF Face-to-Face Meeting 67 in Houston on March 10, 2026. The conclusion of those discussions was that we should create this ballot. The discussion period thread for this ballot can be seen here: https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/KnkGWHEhWAI/m/juiAtWOJBwAJ
> CAs SHALL maintain a record of which [domain/IP] validation method, including relevant BR version number, they used to validate every [domain/IP Address].
This text is problematic for four reasons:
- it only applies to domains and IP addresses, not other things being validated like organization information;
- the requirement to "maintain a record" is unclear (in audit logs? in a database? in a document?);
- no one is sure what the "relevant BR version" is (the effective version when the validation happened? the version that the validation process believes it implements?); and
- the text is not in Section 5.4.1, which is where the BRs concentrate requirements about recording information.
To resolve these issues, we need to start from first principles. The goal, as evidenced by discussion when this requirement was introduced and recollections of CA/BF members who were participating at the time, is to ensure that CAs and auditors are able to definitively identify the validation process with which the CA was required to comply for any given validation.
To determine what rules governed any given validation, we need two pieces of information:
1. When they performed that validation. The current requirements in Section 5.4.1 already require the CA to audit log the time of every verification procedure.
2. What validation method the CA used. This ballot augments Section 5.4.1 to also require that the CA audit log the validation method used, as well as other useful information.
Because we can accomplish the goal with a small addition to Section 5.4.1, this ballot removes the current text from Sections 3.2.2.4 and 3.2.2.5.
Note that this ballot removes the requirement to "record" the "relevant BR version number". This is not considered a loss, for several reasons:
- No CA or auditor should be relying on a logged BR version number to determine which version of the BRs governed the validation. The logged version number is not enforceable; the only information which can be relied upon to map a validation to a BRs version is the time at which the validation was performed.
- If a new version of the BRs adds requirements to a validation method, but gates those new requirements behind a future effective date, the logged version number may indicate that the CA complies with that new version long before the CA has actually implemented the soon-to-be-required behavior.
- If a new version of the BRs adds requirements to a validation method immediately upon the new version becoming effective, then a CA must update their processes to comply before the new version of the BRs is even published, and therefore the logged version number will be out-of-date compared to the implemented behavior.
- Part of the original motivation behind these statements was to encourage CAs to actually read new versions of the BRs and ensure their processes comply with them. We now have other mechanisms to encourage this behavior, such as CCADB self-assessments.
Therefore we conclude that recording the relevant BRs version number is neither useful nor well-specified, and therefore should not be included in the BRs.
This issue was discussed on Mozilla dev-security-policy@ (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/x4zRcboSDwU) as well as at the CA/BF Face-to-Face Meeting 67 in Houston on March 10, 2026. The conclusion of those discussions was that we should create this ballot. The discussion period thread for this ballot can be seen here: https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/KnkGWHEhWAI/m/juiAtWOJBwAJ
This ballot is written by Aaron Gable (ISRG / Let's Encrypt) and endorsed by Gurleen Grewal (Google Trust Services), Trev Ponds-White (Amazon Trust Services), and Roman Fischer (SwissSign).
--- Motion Begins ---
Modify the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Server Certificates", based on Version 2.2.6, per the following redline:
--- Motion Ends ---
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days):
- Start time: 2026-04-03 19:00 UTC
- End time: 2026-04-10 19:00 UTC
Vote for approval (7 days):
- Start time: 2026-04-10 19:30 UTC
- End time: 2026-04-17 19:30 UTC
Pedro FUENTES
Apr 13, 2026, 7:04:42 AM (9 days ago) Apr 13
to server...@groups.cabforum.org
OISTE votes yes to SC-99
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com.
WISeKey SA
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks
CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender
DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.
Tugba ÖZCAN (BILGEM KSM)
Apr 13, 2026, 8:54:07 AM (9 days ago) Apr 13
to servercert-wg
Kamu SM votes Yes on Ballot SC-099.
Tuğba ÖZCAN
TÜBİTAK BİLGEM
TÜBİTAK BİLGEM
Kamu Sertifikasyon Merkezi/E-İmza Teknolojileri Birim Yöneticisi
Kimden: "'Aaron Gable' via Server Certificate WG (CA/B Forum)" <server...@groups.cabforum.org>
Kime: "servercert-wg" <server...@groups.cabforum.org>
Gönderilenler: 10 Nisan Cuma 2026 22:30:17
Konu: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
Kime: "servercert-wg" <server...@groups.cabforum.org>
Gönderilenler: 10 Nisan Cuma 2026 22:30:17
Konu: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
--
Aaron Gable
Apr 13, 2026, 1:49:50 PM (9 days ago) Apr 13
to server...@groups.cabforum.org
Let's Encrypt / ISRG votes Yes on Ballot SC-099.
Scott Rea
Apr 13, 2026, 1:52:57 PM (9 days ago) Apr 13
to server...@groups.cabforum.org
eMudhra Votes YES to Ballot SC-099
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Friday, 10 April 2026 at 2:30 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
Date: Friday, 10 April 2026 at 2:30 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
|
CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.
|
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com.
Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited
as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.
Trevoli Ponds-White
Apr 13, 2026, 2:15:56 PM (9 days ago) Apr 13
to Server Certificate WG (CA/B Forum)
Amazon Trust Services votes Yes
Ben Wilson
Apr 13, 2026, 3:03:14 PM (9 days ago) Apr 13
to server...@groups.cabforum.org
Mozilla votes "Yes" on Ballot SC-099.
--
Chad Dandar (cdandar)
Apr 13, 2026, 3:11:35 PM (9 days ago) Apr 13
to server...@groups.cabforum.org
Cisco votes "Yes" on Ballot SC-099.
Chad Dandar
Cisco
--
Hogeun Yoo
Apr 13, 2026, 8:10:09 PM (9 days ago) Apr 13
to server...@groups.cabforum.org
NAVER Cloud Trust Services votes "Yes" on Ballot SC-099
Best Regards,
Hogeun Yoo
-----Original Message-----
From: "'Aaron Gable' via Server Certificate WG (CA/B Forum)"<server...@groups.cabforum.org>
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com.
黃晟(orca)
Apr 13, 2026, 9:36:28 PM (9 days ago) Apr 13
to server...@groups.cabforum.org
TWCA votes Yes on Ballot SC-099.
Best,
Sean Huang
Senior PKI Compliance Engineer
TEL:02-2370-8886#728
FAX:02-2388-6720
Email:or...@twca.com.tw
10F., No. 85, Yanping South Road,
Taipei, Taiwan (R.O.C.)
--
Adriano Santoni
Apr 14, 2026, 3:00:34 AM (9 days ago) Apr 14
to server...@groups.cabforum.org
Actalis votes "Yes" on Ballot SC-099.
Il 10/04/2026 21:30, 'Aaron Gable' via
Server Certificate WG (CA/B Forum) ha scritto:
Josselin ALLEMANDOU
Apr 14, 2026, 3:34:09 AM (8 days ago) Apr 14
to server...@groups.cabforum.org
CERTIGNA votes « Yes » on ballot SC-099.
De : 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Envoyé : vendredi 10 avril 2026 21:30
À : server...@groups.cabforum.org
Objet : [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
⚠ FR : Ce message provient de l'extérieur de l'organisation. N'ouvrez pas de liens ou de pièces jointes à moins que vous ne sachiez que le contenu est fiable. ⚠
--
Backman, Antti
Apr 14, 2026, 4:50:47 AM (8 days ago) Apr 14
to server...@groups.cabforum.org
Telia vote ‘Yes’ on Ballot SC-099.
//Antti
Dimitris Zacharopoulos (HARICA)
Apr 14, 2026, 4:55:49 AM (8 days ago) Apr 14
to server...@groups.cabforum.org
HARICA votes "yes" to ballot SC099.
jun....@cybertrust.co.jp
Apr 14, 2026, 8:53:42 PM (8 days ago) Apr 14
to server...@groups.cabforum.org
Cybertrust Japan votes ‘Yes’ on SC-099
-----Original Message-----
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
* Start time: 2026-04-03 19:00 UTC
* End time: 2026-04-10 19:00 UTC
Vote for approval (7 days):
* Start time: 2026-04-10 19:30 UTC
* End time: 2026-04-17 19:30 UTC
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org <mailto:servercert-w...@groups.cabforum.org> .
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com <https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com?utm_medium=email&utm_source=footer> .
-----Original Message-----
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Saturday, April 11, 2026 4:30 AM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
Ballot SC-099: Improve Recording of Validation Methods
Summary of the Ballot
Remove ambiguous language from Section 3.2.2.4 and 3.2.2.5 requiring that CAs "record" the "relevant BR version number" when performing validation.
Replace this with unambiguous language in Section 5.4.1, requiring that CAs specifically audit log the information being validated and what validation method they are using to do so.
The new language has an Effective Date of July 15, 2026, giving CAs two months from the expected end of this ballot's IPR period to comply.
Background of the Ballot
The current BRs contain the following text in Sections 3.2.2.4 and 3.2.2.5 <http://3.2.2.5/> :
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
Ballot SC-099: Improve Recording of Validation Methods
Summary of the Ballot
Remove ambiguous language from Section 3.2.2.4 and 3.2.2.5 requiring that CAs "record" the "relevant BR version number" when performing validation.
Replace this with unambiguous language in Section 5.4.1, requiring that CAs specifically audit log the information being validated and what validation method they are using to do so.
The new language has an Effective Date of July 15, 2026, giving CAs two months from the expected end of this ballot's IPR period to comply.
Background of the Ballot
* End time: 2026-04-10 19:00 UTC
Vote for approval (7 days):
* End time: 2026-04-17 19:30 UTC
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com <https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com?utm_medium=email&utm_source=footer> .
郭宗閔
Apr 14, 2026, 10:20:44 PM (8 days ago) Apr 14
to server...@groups.cabforum.org
Chunghwa Telecom votes "Yes" on Ballot SC-099.
Regards,
Tsung-Min Kuo
Chunghwa Telecom Co., Ltd., Taiwan (R.O.C.)
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Saturday, April 11, 2026 3:30 AM
To: server...@groups.cabforum.org
Subject: [外部郵件][Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
--
You received this message because you are subscribed to the Google
Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
Wayne Thayer
Apr 14, 2026, 11:16:07 PM (8 days ago) Apr 14
to server...@groups.cabforum.org
Fastly votes Yes on ballot SC-099.
- Wayne
--
大野 文彰
Apr 15, 2026, 12:45:45 AM (8 days ago) Apr 15
to server...@groups.cabforum.org
SECOM Trust Systems votes YES on Ballot SC-099.
Best regards,
ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Saturday, April 11, 2026 4:30 AM
To: server...@groups.cabforum.org
--
Nome Huang
Apr 15, 2026, 4:56:42 AM (7 days ago) Apr 15
to Server Certificate WG (CA/B Forum), aa...@letsencrypt.org
TrustAsia votes “Yes” on SC-099.
Yoshihiko Matsuo
Apr 15, 2026, 7:48:36 AM (7 days ago) Apr 15
to server...@groups.cabforum.org
JPRS votes YES on Ballot SC-099.
Yoshihiko Matsuo(JPRS)
On Fri, 10 Apr 2026 12:30:17 -0700
"'Aaron Gable' via Server Certificate WG (CA/B Forum)" <server...@groups.cabforum.org> wrote:
> Ballot?SC-099: Improve Recording of Validation Methods
Yoshihiko Matsuo(JPRS)
On Fri, 10 Apr 2026 12:30:17 -0700
"'Aaron Gable' via Server Certificate WG (CA/B Forum)" <server...@groups.cabforum.org> wrote:
> Ballot?SC-099: Improve Recording of Validation Methods
>
> Summary of the Ballot
>
>
> Remove ambiguous language from Section 3.2.2.4 and 3.2.2.5 requiring that CAs "record" the "relevant BR version number" when performing validation.
>
>
> Replace this with unambiguous language in Section 5.4.1, requiring that CAs specifically audit log the information being validated and what validation method they are using to do so.
>
>
> The new language has an Effective Date of July 15, 2026, giving CAs two months from the expected end of this ballot's IPR period to comply.
>
>
> Background of the Ballot
>
>
> The current BRs contain the following text in Sections 3.2.2.4 and?<http://3.2.2.5/>3.2.2.5:
> Summary of the Ballot
>
>
> Remove ambiguous language from Section 3.2.2.4 and 3.2.2.5 requiring that CAs "record" the "relevant BR version number" when performing validation.
>
>
> Replace this with unambiguous language in Section 5.4.1, requiring that CAs specifically audit log the information being validated and what validation method they are using to do so.
>
>
> The new language has an Effective Date of July 15, 2026, giving CAs two months from the expected end of this ballot's IPR period to comply.
>
>
> Background of the Ballot
>
>
>
> > CAs SHALL maintain a record of which [domain/IP] validation method, including relevant BR version number, they used to validate every [domain/IP Address].
>
> This text is problematic for four reasons:
> - it only applies to domains and IP addresses, not other things being validated like organization information;
> - the requirement to "maintain a record" is unclear (in audit logs? in a database? in a document?);
> - no one is sure what the "relevant BR version" is (the effective version when the validation happened? the version that the validation process believes it implements?); and
> - the text is not in Section 5.4.1, which is where the BRs concentrate requirements about recording information.
>
> To resolve these issues, we need to start from first principles. The goal, as evidenced by discussion when this requirement was introduced and recollections of CA/BF members who were participating at the time, is to ensure that CAs and auditors are able to definitively identify the validation process with which the CA was required to comply for any given validation.
>
> To determine what rules governed any given validation, we need two pieces of information:
> 1. When they performed that validation. The current requirements in Section 5.4.1 already require the CA to audit log the time of every verification procedure.
> 2. What validation method the CA used. This ballot augments Section 5.4.1 to also require that the CA audit log the validation method used, as well as other useful information.
>
> Because we can accomplish the goal with a small addition to Section 5.4.1, this ballot removes the current text from Sections 3.2.2.4 and 3.2.2.5.
>
> Note that this ballot removes the requirement to "record" the "relevant BR version number". This is not considered a loss, for several reasons:
> - No CA or auditor should be relying on a logged BR version number to determine which version of the BRs governed the validation. The logged version number is not enforceable; the only information which can be relied upon to map a validation to a BRs version is the time at which the validation was performed.
> - If a new version of the BRs adds requirements to a validation method, but gates those new requirements behind a future effective date, the logged version number may indicate that the CA complies with that new version long before the CA has actually implemented the soon-to-be-required behavior.
> - If a new version of the BRs adds requirements to a validation method immediately upon the new version becoming effective, then a CA must update their processes to comply before the new version of the BRs is even published, and therefore the logged version number will be out-of-date compared to the implemented behavior.
> - Part of the original motivation behind these statements was to encourage CAs to actually read new versions of the BRs and ensure their processes comply with them. We now have other mechanisms to encourage this behavior, such as CCADB self-assessments.
>
> Therefore we conclude that recording the relevant BRs version number is neither useful nor well-specified, and therefore should not be included in the BRs.
>
> This issue was discussed on Mozilla dev-security-policy@ (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/x4zRcboSDwU) as well as at the CA/BF Face-to-Face Meeting 67 in Houston on March 10, 2026. The conclusion of those discussions was that we should create this ballot. The discussion period thread for this ballot can be seen here:?https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/KnkGWHEhWAI/m/juiAtWOJBwAJ
> > CAs SHALL maintain a record of which [domain/IP] validation method, including relevant BR version number, they used to validate every [domain/IP Address].
>
> This text is problematic for four reasons:
> - it only applies to domains and IP addresses, not other things being validated like organization information;
> - the requirement to "maintain a record" is unclear (in audit logs? in a database? in a document?);
> - no one is sure what the "relevant BR version" is (the effective version when the validation happened? the version that the validation process believes it implements?); and
> - the text is not in Section 5.4.1, which is where the BRs concentrate requirements about recording information.
>
> To resolve these issues, we need to start from first principles. The goal, as evidenced by discussion when this requirement was introduced and recollections of CA/BF members who were participating at the time, is to ensure that CAs and auditors are able to definitively identify the validation process with which the CA was required to comply for any given validation.
>
> To determine what rules governed any given validation, we need two pieces of information:
> 1. When they performed that validation. The current requirements in Section 5.4.1 already require the CA to audit log the time of every verification procedure.
> 2. What validation method the CA used. This ballot augments Section 5.4.1 to also require that the CA audit log the validation method used, as well as other useful information.
>
> Because we can accomplish the goal with a small addition to Section 5.4.1, this ballot removes the current text from Sections 3.2.2.4 and 3.2.2.5.
>
> Note that this ballot removes the requirement to "record" the "relevant BR version number". This is not considered a loss, for several reasons:
> - No CA or auditor should be relying on a logged BR version number to determine which version of the BRs governed the validation. The logged version number is not enforceable; the only information which can be relied upon to map a validation to a BRs version is the time at which the validation was performed.
> - If a new version of the BRs adds requirements to a validation method, but gates those new requirements behind a future effective date, the logged version number may indicate that the CA complies with that new version long before the CA has actually implemented the soon-to-be-required behavior.
> - If a new version of the BRs adds requirements to a validation method immediately upon the new version becoming effective, then a CA must update their processes to comply before the new version of the BRs is even published, and therefore the logged version number will be out-of-date compared to the implemented behavior.
> - Part of the original motivation behind these statements was to encourage CAs to actually read new versions of the BRs and ensure their processes comply with them. We now have other mechanisms to encourage this behavior, such as CCADB self-assessments.
>
> Therefore we conclude that recording the relevant BRs version number is neither useful nor well-specified, and therefore should not be included in the BRs.
>
>
> This ballot is written by Aaron Gable (ISRG / Let's Encrypt) and endorsed by Gurleen Grewal (Google Trust Services), Trev Ponds-White (Amazon Trust Services), and Roman Fischer (SwissSign).
>
>
> --- Motion Begins ---
>
>
> Modify the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Server Certificates", based on Version 2.2.6, per the following redline:
>
>
> https://github.com/cabforum/servercert/compare/168e0aa8cafe753c85a94b5a8f28541beda48201...e3fc28ab09ffae2f83aa9316ff20108199c29692
>
>
> --- Motion Ends ---
>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
>
>
> Discussion (at least 7 days):
> Start time: 2026-04-03 19:00 UTCEnd time: 2026-04-10 19:00 UTC
> This ballot is written by Aaron Gable (ISRG / Let's Encrypt) and endorsed by Gurleen Grewal (Google Trust Services), Trev Ponds-White (Amazon Trust Services), and Roman Fischer (SwissSign).
>
>
> --- Motion Begins ---
>
>
> Modify the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Server Certificates", based on Version 2.2.6, per the following redline:
>
>
> https://github.com/cabforum/servercert/compare/168e0aa8cafe753c85a94b5a8f28541beda48201...e3fc28ab09ffae2f83aa9316ff20108199c29692
>
>
> --- Motion Ends ---
>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
>
>
> Discussion (at least 7 days):
> Vote for approval (7 days):
>
> Start time: 2026-04-10 19:30 UTCEnd time: 2026-04-17 19:30 UTC
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
> To view this discussion visit <https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com?utm_medium=email&utm_source=footer>https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErdDP6maNKvZm6p7ysh%2BrcYvPi%2BhWdzuBDfNb8gmj4RT5w%40mail.gmail.com.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
sde...@godaddy.com
Apr 15, 2026, 9:54:01 AM (7 days ago) Apr 15
to server...@groups.cabforum.org
GoDaddy votes Yes on Ballot SC-099.
Regards,
Steven Deitte
From:
'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Friday, April 10, 2026 at 3:30 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
Ballot SC-099: Improve Recording of Validation Methods Summary of the Ballot Remove ambiguous language from Section 3. 2. 2. 4 and 3. 2. 2. 5 requiring that CAs "record" the "relevant BR version number" when performing validation.
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
Alvin Wang
Apr 15, 2026, 10:00:33 AM (7 days ago) Apr 15
to Server Certificate WG (CA/B Forum), aa...@letsencrypt.org
SHECA votes Yes on Ballot SC-099.
Regards,
Alvin.Wang
On Saturday, April 11, 2026 at 3:30:33 AM UTC+8 aa...@letsencrypt.org wrote:
Tom Zermeno
Apr 15, 2026, 3:38:31 PM (7 days ago) Apr 15
to server...@groups.cabforum.org
SSL.com votes “YES” on SC-099.
Tom Z.
- SSL.com
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Friday, April 10, 2026 at 2:30 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
Adriano Santoni
Apr 16, 2026, 6:50:17 AM (6 days ago) Apr 16
to server...@groups.cabforum.org
Actalis votes 'yes' on ballot SC-099
Il 10/04/2026 21:30, 'Aaron Gable' via
Server Certificate WG (CA/B Forum) ha scritto:
Mrugesh Chandarana
Apr 16, 2026, 9:10:28 AM (6 days ago) Apr 16
to server...@groups.cabforum.org
IdenTrust votes Yes on this ballot.
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Friday, April 10, 2026 12:30 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [External][Possible SPAM][Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [External][Possible SPAM][Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
--
Dustin Hollenback
Apr 16, 2026, 12:51:40 PM (6 days ago) Apr 16
to server...@groups.cabforum.org
Apple votes “Yes” on Ballot SC-099.
Chris Clements
Apr 16, 2026, 5:22:48 PM (6 days ago) Apr 16
to server...@groups.cabforum.org
Google votes Yes on Ballot SC-099.
qi_ji...@itrus.com.cn
Apr 17, 2026, 1:16:01 AM (6 days ago) Apr 17
to servercert-wg
Kateryna Aleksieieva
Apr 17, 2026, 2:20:26 AM (6 days ago) Apr 17
to server...@groups.cabforum.org
Certum votes YES on Ballot SC-099
Kind regards,
Kateryna Aleksieieva
Peter Miškovič
Apr 17, 2026, 3:29:00 AM (5 days ago) Apr 17
to server...@groups.cabforum.org
Disig votes „Yes“ on Ballot SC-099: Improve Recording of Validation Methods.
Regards,
Peter Miskovic
Entschew, Enrico
Apr 17, 2026, 8:52:46 AM (5 days ago) Apr 17
to server...@groups.cabforum.org
D-Trust votes „Yes“ on Ballot SC-099.
Thanks,
Enrico
Arvid Vermote
Apr 17, 2026, 11:09:55 AM (5 days ago) Apr 17
to server...@groups.cabforum.org
GlobalSign votes “Yes” on Ballot SC-099.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/d0da9df2b7e3403bac49fe3201b24d7e%40disig.sk.
Tim Hollebeek
Apr 17, 2026, 1:01:26 PM (5 days ago) Apr 17
to server...@groups.cabforum.org
DigiCert votes YES on SC-099.
-Tim
Martijn Katerbarg
Apr 17, 2026, 1:04:25 PM (5 days ago) Apr 17
to server...@groups.cabforum.org
Sectigo votes YES to Ballot SC-099
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Friday, April 10, 2026 9:30 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-099: Improve Recording of Validation Methods
This Message Is From an External Sender
This message came from outside your organization.
Reply all
Reply to author
Forward
0 new messages