Discussion period begins: SC-86: Sunset the Inclusion of Address and Routing Parameter Area Names

[Corey Bonnell]

Purpose of Ballot

 

The Address and Routing Parameter Area Names top-level domain (“.arpa”) is a component of the Internet infrastructure and is not intended to include hostnames. As a result, it is undesirable to permit the issuance of publicly trusted TLS certificates containing hostnames under “.arpa”. This ballot establishes a sunset on this practice.

 

Motion

 

The following motion has been proposed by Corey Bonnell (DigiCert) and endorsed by Clint Wilson (Apple) and Tobias Josefowitz (Opera).

 

Motion Begins

 

MODIFY the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“TLS Baseline Requirements”) based on Version 2.1.4 as specified in the following redline:

 

https://github.com/cabforum/servercert/compare/71252c65fafc8ff1dd903f7138d86327689365f8...bc345f4920593f4202a7f99efa60c92a6d21af35

 

Motion Ends

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (at least 7 days)

 

Start time: 2025-05-02 13:30 UTC

 

End time: Not before 2025-05-09 13:30 UTC

 

Vote for approval (7 days)

 

Start time: TBD

 

End time: TBD

 

[Corey Bonnell]

Purpose of Ballot

 

The IP Reverse Address Domain Names (“in-addr.arpa” and “ip6.arpa”) are components of the Internet infrastructure and are not intended to include hostnames. As a result, it is undesirable to permit the issuance of publicly trusted TLS certificates containing hostnames under “in-addr.arpa” and “ip6.arpa”. This ballot establishes a sunset on this practice.

 

Motion

 

The following motion has been proposed by Corey Bonnell (DigiCert) and endorsed by Clint Wilson (Apple) and Tobias Josefowitz (Opera).

 

Motion Begins

 

MODIFY the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“TLS Baseline Requirements”) based on Version 2.1.7 as specified in the following redline:

 

https://github.com/cabforum/servercert/compare/b6a014d4aee244c019ef6ca41667045cdbfefb81...469733c1d10ac5cfab8390c9d5e5d8dac1a282c6

 

Motion Ends

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (at least 7 days)

 

Start time: 2025-10-13 10:00 UTC

End time: Not before 2025-10-20 10:00 UTC

[Corey Bonnell]

Hello,

Assuming there is no discussion on this ballot, I will start voting this Thursday.

 

Thanks,

Corey

--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/DS0PR14MB621627CD3990FB41BE4E0B9392EAA%40DS0PR14MB6216.namprd14.prod.outlook.com.

[Roman Fischer]

Dear Corey,

 

I just saw the proposal for ballot "SC-91: Sunset 3.2.2.5.3 Reverse Address Lookup Validation, proposal of new DNS-based validation using Persistent DCV TXT Record for IP addresses (PR #626)". Don't they contradict each other?

 

Kind regards
Roman

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/DS0PR14MB621607CB9BCB50593519303292F5A%40DS0PR14MB6216.namprd14.prod.outlook.com.

[Gurleen Grewal]

Hi Roman,

Thanks for raising your concerns. I’d like to clarify that SC-91 does not conflict with SC-86.

SC-86 prohibits the issuance of certificates containing domain names that end in the “in-addr.arpa” and “ip6.arpa” suffixes. SC-91 pertains to the issuance of certificates containing IP addresses (not domain names). SC-91 proposes a new validation method (and sunsets an old one) that involves translating the IP address to its reverse “.arpa” FQDN, and performing Persistent DCV TXT-based validation on that reverse zone domain name. The reverse zone domain name is not included in the certificate itself; it is only used to resolve the Persistent DVC TXT record during validation.  Both ballots work together to enhance overall issuance security.

Regards,

Gurleen

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/ZR0P278MB0170E5E04E8476454E5838DFFAF2A%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.

[Roman Fischer]

Ah, thanks, that clarified it! 👍

 

Kind regards
Roman

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAHidiLFeXSZ5VBazoPqiPzdz4TtW-u_6YH5LXQAovwR32D%2Bh%3Dw%40mail.gmail.com.

[Corey Bonnell]

Although the definitions don’t conflict, the definitions are very similar and should build off one another to make BRs easier to read. I’m working with Gurleen and a few other folks to make sure the definitions introduced in SC-86 and SC-91 don’t cause any confusion.

 

Given this, I won’t be starting the voting period tomorrow but instead will be circulating an updated version of SC-86 and restarting the discussion period later this week.

 

Thanks,

Corey

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/ZR0P278MB0170FA75ADEEFCD7FE40DA26FAF3A%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.