TWCA votes Yes on Ballot SC-101v2.
Best,
Sean Huang
Senior PKI Compliance Engineer
TEL:02-2370-8886#728
FAX:02-2388-6720
Email:or...@twca.com.tw

10F., No. 85, Yanping South Road,
Taipei, Taiwan (R.O.C.)
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErcv%2Bs4-YRDx8F31j1HMtrxnVQLQCZs3ifO2KxNvQVouTA%40mail.gmail.com.
-----Original Message-----
From: "'Aaron Gable' via Server Certificate WG (CA/B Forum)"<server...@groups.cabforum.org>
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErcv%2Bs4-YRDx8F31j1HMtrxnVQLQCZs3ifO2KxNvQVouTA%40mail.gmail.com.
--
|
CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.
|
--
IdenTrust votes Yes to SC-101v2
Sincerely,
Andrea Holland
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Tuesday, June 23, 2026 7:19 PM
To: server...@groups.cabforum.org
Cc: Rich Smith <rich....@digicert.com>; Chris Clements <ccle...@google.com>
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
Government of Korea "YES" on Ballot SC-101v2.
Jieun Seong
Researcher / Dept of Digital Authentication
Korea Local Information Research & Development Institute, KLID
301, Seongam-ro, Mapo-gu, Seoul, 03923, Korea
D: +82 (2) 2031-9418 / M: +82 (10) 4800 0224
Date: 2026/06/24 08:25:07
From: "'Aaron Gable' via Server Certificate WG (CA/B Forum)"
To: "server...@groups.cabforum.org"
Cc: Rich Smith , Chris Clements
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-101v2: Clarify Authorization Domain Names
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErcv%2Bs4-YRDx8F31j1HMtrxnVQLQCZs3ifO2KxNvQVouTA%40mail.gmail.com.
SECOM Trust Systems votes YES on Ballot SC-101v2.
Best regards,
ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, June 24, 2026 8:19 AM
--
-----Original Message-----
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, June 24, 2026 8:19 AM
To: server...@groups.cabforum.org
Cc: Rich Smith <https://urldefense.proofpoint.com/v2/url?u=http-3A__rich.smith-40digicert.com&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=AhAI8cWo9swaYIRBGMrxysAmuRVeyRhiQRgNINVlicw&e=>; Chris Clements <ccle...@google.com>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-101v2: Clarify Authorization Domain Names
Ballot SC-101v2: Clarify Authorization Domain Names
Summary of the Ballot
In Section 3.2.2.4, explicitly describe the algorithm by which a CA may derive an Authorization Domain Name from an applied-for FQDN. The algorithm described is consistent with the most common interpretation of the current definition of ADN, so this is not expected to be a disruptive change for most CAs, but it removes ambiguity and closes one security issue (described below).
Simplify the definition of Authorization Domain Name to be merely descriptive. Update all validation methods to describe how they validate control of the selected ADN. Collapse all previous statements about validation method suitability for wildcard and ending-in-the-same-suffix validation into a table in Section 3.2.2.4. As a knock-on effect, simplify the definitions of Base Domain Name and Domain Contact.
Although these changes are simple, they are also sweeping. As such, the ballot includes a provision that CAs may comply with Section 3.2.2.4 of the previous version of the Baseline Requirements until November 15, 2026. This is derived from the approach taken by v2.0 of the Network Security Requirements.
Background of the Ballot
The existing definition of Authorization Domain Name has two severe issues:
a) It contains normative policy language (describing how to derive an ADN) but attempts to be a concise and descriptive definition, leading to ambiguity as to whether parts of the definition can be performed exclusively, in sequence, repeatedly, or otherwise.
b) Under some interpretations, it allows for issuance of certificates for names over which the applicant has not demonstrated any control.
Specifically, one interpretation of the current definition of an ADN is that a CA may prune labels from the left-hand side of the FQDN, then follow one or more CNAMEs, and then use the resulting FQDN as the ADN. However, just because `example.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=0NzGJchaenQtFS4k3xWrX2ZRQujAyYbCEg8QGoiQzWI&e=> ` has a CNAME pointing to `example.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.org_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=Zf-nDNJsTKTVs3YyLNO6Ll_a3dWVGWYnklKU18Jc39M&e=> `, that does not give the operators of `example.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.org_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=Zf-nDNJsTKTVs3YyLNO6Ll_a3dWVGWYnklKU18Jc39M&e=> ` any control over subdomains of such as `blog.example.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.example.com_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=Z-FmX1KTrK3_q54U9ZnRAXurfXBaLyz-Yu5HjawP1Z0&e=> `. Under this interpretation, an entity capable of demonstrating control of a CNAME (such as a CDN operator) might be able to get issuance of certificates for arbitrary subdomains of names that are CNAMEd to them. This is not good.
This ballot resolves the issue by much more strictly describing the acceptable ADN derivation algorithm. In particular:
- The ADN must be selected after the validation method has been selected.
- Only certain methods (those which perform validation at the name itself, not at a underscore-prefixed subdomain of it) can use the "cname" step of the ADN algorithm.
- Only certain methods (those which currently allow issuance for "other FQDNs that end with all the Domain Labels of the validated FQDN") can use the "prune" step of the ADN algorithm.
- Following CNAMEs must happen before pruning labels, if both operations are performed.
This makes it much easier for CAs to implement provably-compliant ADN derivation algorithms, and closes the security hole described above.
This ballot also explicitly acknowledges something that has always been true: that all validation methods are in fact validating control over the ADN, not the applied-for FQDN (unless the CA has selected the ADN to be exactly equal to the applied-for FQDN). This means that validation data reuse also works at the ADN level: if two applied-for FQDNs can both be turned into the same ADN, then demonstrating control of that ADN is valid for the issuance of both applied-for FQDNs.
This ballot differs from the original SC-101 in only one substantive way: it adds an effective date for the change to Section 3.2.2.5.3, which is not covered by the general effective date covering all of Section 3.2.2.4. The other changes are merely editorial. You can see a diff from SC-101 to SC-101v2 here <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_pull_627_changes_709bb8f4460b1743a7df5f1bf0c728a496c57e4a..0a66f1dfad21cc9964738ce753b5ac8859d9a265&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=iTCGYIs7havCZYSJP48o1ulNZijPfOXKqVr3F__M25I&e=> .
The following motion is proposed by Aaron Gable (Let's Encrypt / ISRG) and endorsed by Rich Smith (DigiCert) and Chris Clements (Google).
--- Motion Begins ---
Modify the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Server Certificates", based on Version 2.2.7, per the following redline:
--- Motion Ends ---
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days):
* Start time: 2026-06-12 17:00 UTC
* End time: 2026-06-19 17:00 UTC or later
Vote for approval (7 days):
* Start time: 2026-06-23 23:20 UTC
* End time: 2026-06-30 23:20 UTC
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org <mailto:servercert-w...@groups.cabforum.org> .
To view this discussion visit https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_groups.cabforum.org_d_msgid_servercert-2Dwg_CAEmnErcv-252Bs4-2DYRDx8F31j1HMtrxnVQLQCZs3ifO2KxNvQVouTA-2540mail.gmail.com&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=z6afHkQblLc97sJHihwe_gZPg2i27bTKUuUmORdeq2s&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_groups.cabforum.org_d_msgid_servercert-2Dwg_CAEmnErcv-252Bs4-2DYRDx8F31j1HMtrxnVQLQCZs3ifO2KxNvQVouTA-2540mail.gmail.com-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dfooter&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=mKfIauMEtFddpqXy69lXuUdHW-PfDnC6MctHktBI7C8&e=> .
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_groups.cabforum.org_d_msgid_servercert-2Dwg_OS3P286MB3194BB29D5957F323A83E796CAED2-2540OS3P286MB3194.JPNP286.PROD.OUTLOOK.COM&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=AFTYu1HAQdkStwzgxyDbKOLyDwTHEezL5yeqoxeZ0fc&m=YHD2SfBbnT6AYDCLfiEzPPKkbhi1m9JR8pMLc3pp39vqM1wjkv2IWS_58TgRDgoG&s=C50G5diu0QHrxsSi8kM-_dLC8kWjjoQY8yJlGNW8KL4&e=.
D-Trust votes „YES“ on Ballot SC-101v2.
Thanks,
Enrico
Von: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Gesendet: Mittwoch, 24. Juni 2026 01:19
An: server...@groups.cabforum.org
Cc: Rich Smith <rich....@digicert.com>; Chris Clements <ccle...@google.com>
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
Chunghwa Telecom votes YES on Ballot SC-101v2.
Regards,
Tsung-Min Kuo
Chunghwa Telecom Co., Ltd., Taiwan (R.O.C.)
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, June 24, 2026 7:19 AM
To: server...@groups.cabforum.org
Cc: Rich Smith <rich....@digicert.com>; Chris
Clements <ccle...@google.com>
Subject: [外部郵件][Servercert-wg] Voting Period Begins: Ballot SC-101v2: Clarify Authorization Domain Names
--
You received this message because you are subscribed to the Google
Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAEmnErcv%2Bs4-YRDx8F31j1HMtrxnVQLQCZs3ifO2KxNvQVouTA%40mail.gmail.com.
--
Certum votes YES on SC-101v2
Pozdrawiam
Kateryna Aleksieieva
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, June 24, 2026 1:19 AM
To: server...@groups.cabforum.org
Cc: Rich Smith <rich....@digicert.com>; Chris Clements <ccle...@google.com>
--
Caution: This is an external email. Stop, assess and verify. Please take care when clicking links or opening attachments! When in doubt, report it using “report phishing” function. |
Sectigo votes yes
De: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Enviado el: miércoles, 24 de junio de 2026 1:19
Para: server...@groups.cabforum.org
CC: Rich Smith <rich....@digicert.com>; Chris Clements <ccle...@google.com>
Asunto: [Servercert-wg] Voting Period Begins: Ballot SC-101v2: Clarify Authorization Domain Names
Ballot SC-101v2: Clarify Authorization Domain Names Summary of the Ballot In Section 3. 2. 2. 4, explicitly describe the algorithm by which a CA may derive an Authorization Domain Name from an applied-for FQDN. The algorithm described is consistent
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
Disig votes „YES“ on Ballot SC-101v2: Clarify Authorization Domain Names.
Regards,
Peter Miskovic
From: 'Aaron Gable' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: streda 24. júna 2026 1:19
To: server...@groups.cabforum.org
Cc: Rich Smith <rich....@digicert.com>; Chris Clements <ccle...@google.com>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-101v2: Clarify Authorization Domain Names
Ballot SC-101v2: Clarify Authorization Domain Names
Summary of the Ballot
In Section 3.2.2.4, explicitly describe the algorithm by which a CA may derive an Authorization Domain Name from an applied-for FQDN. The algorithm described is consistent with the most common interpretation of the current definition of ADN, so this is not expected to be a disruptive change for most CAs, but it removes ambiguity and closes one security issue (described below).
GlobalSign votes “Yes” on Ballot SC-101v2.
Christophe
Best, Karina
-- Dimitris Zacharopoulos CA/B Forum SCWG Chair