Discussion Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements

27 views
Skip to first unread message

Martijn Katerbarg

unread,
Dec 15, 2025, 6:43:50 AM (2 days ago) Dec 15
to 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum)

Summary

DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.

This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  • Start time: 2025-12-15 11:45 UTC
  • End time: Not Before 2026-01-07 15:00 UTC

Vote for approval (7 days)

  • Start time: TBD
  • End time: TBD

Martijn Katerbarg

unread,
Dec 15, 2025, 7:03:26 AM (2 days ago) Dec 15
to server...@groups.cabforum.org
I just realized the required endorsers were not added into the ballot email. I will send out an update shortly

Sent from Outlook for iOS
From: 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Monday, December 15, 2025 12:43:45 PM
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Discussion Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
 
Summary DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging. This ballot aims to carve-out the logging requirements
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
 
ZjQcmQRYFpfptBannerEnd
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB65031A7C38766896127251AAE3ADA%40SA1PR17MB6503.namprd17.prod.outlook.com.

Martijn Katerbarg

unread,
Dec 15, 2025, 7:18:14 AM (2 days ago) Dec 15
to server...@groups.cabforum.org

Summary

DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.

This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.

The following motion has been proposed by Martijn Katerbarg (Sectigo) and endorsed by Roman Fischer (SwissSign) and Ben Wilson (Mozilla).

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  • Start time: 2025-12-15 12:15 UTC
  • End time: Not Before 2026-01-07 15:00 UTC
Reply all
Reply to author
Forward
0 new messages