SC-XXX: Cleanup for ADN CNAME use

[Rich Smith]

Hello all: 

The validation subcommittee of the Server Certificate Working Group at the CA/Browser Forum discussed the use of CNAME lookups to determine an Authorisation Domain Name (ADN) during the September 18 meeting. 

One of the action items from the meeting was for DigiCert to draft an amendment to the TLS BRs that captured the discussion on recent bugs. A draft amendment is available at: 

https://github.com/cabforum/servercert/pull/619  

Per the subcommittee discussion, the proposed text: 

• Removes CNAME language from ADN definition; and 

• Clarifies the use of FQDNs returned from DNS CNAME lookups to determine the ADN by method in Section 3.2.2.4. 

We look forward to returning to the discussion in the next meeting of the Validation subcommittee. 

Regards,    

 

Rich Smith

Director, Technical Compliance

 

 

[Aaron Gable]

Hi Rich,

Thank you for doing this! I think the conversation on the bugzilla bug and in the validation subcommittee meeting has been very helpful in figuring out a path forward.

I've left some comments on the github PR. I think this is a really good direction, but doesn't go quite far enough: I think that we should remove normative text (MUST/MAY/etc) from the definition of ADN entirely. The definition should be just that, a definition saying that an ADN is whatever domain name was actually used for validation, regardless of how it was derived. Then Section 3.2.2.4 and the individual methods in that section can define what mechanisms for deriving an ADN are acceptable.

Thanks again,

Aaron

--
You received this message because you are subscribed to the Google Groups "Validation Subcommittee (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to validation+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/IA0PR14MB64147F486473119CADF2B312E31BA%40IA0PR14MB6414.namprd14.prod.outlook.com.

[Adriano Santoni]

+1

Il 30/09/2025 00:32, 'Aaron Gable' via Validation Subcommittee (CA/B Forum) ha scritto:

External sender. Verify for authenticity before opening any links or attachments.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/CAEmnErdF7BRAz6JmsEqexccx6fc%3D2xzdLEaHHWfpsDZEBGubXA%40mail.gmail.com .

[Rich Smith]

Thanks for your feedback, and your involvement in the discussion, Aaron.  In general, DigiCert supports the direction of removing normative requirements from definitions, including the ADN definition.  I do worry a little bit about such an endeavor making this ballot much more complicated, as well as stepping on the work that is already getting underway in the Definitions working group.  If we can confine this ballot to the ADN definition, I think it’s workable, but I can already see from the comments on the PR that there’s a danger of this snow-balling quickly into a significant and comprehensive overhaul involving multiple definitions, concepts, and complex requirements.  Maybe that’s what’s needed, and if the group thinks that’s the direction we should go, I’m on board, but I’d prefer that we do that with eyes wide open rather than stumbling into it by happenstance.

 

Regards,

Rich

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/CAEmnErdF7BRAz6JmsEqexccx6fc%3D2xzdLEaHHWfpsDZEBGubXA%40mail.gmail.com.

[Aaron Gable]

Yeah, I recognize the concern that this could grow out quite large. I think the right line to draw is: let's solve the ADN problem, and not solve the Wildcard Domain Name / FQDN problem. We can make sure we don't make that latter problem worse with the new phrasing, but no need to expand this ballot to fix every instance of using "FQDN" where the BRs really mean "FQDN or WDN".

Aaron

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/validation/IA0PR14MB6414F7D867B6DA3D7A1D6CC7E31AA%40IA0PR14MB6414.namprd14.prod.outlook.com.