Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Martijn Katerbarg
Summary
DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.
This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.
The following motion has been proposed by Martijn Katerbarg (Sectigo) and endorsed by Roman Fischer (SwissSign) and Ben Wilson (Mozilla).
Motion Begins
MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:
Motion Ends
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
-
Start time: 2025-12-15 12:15 UTC
-
End time: 2026-01-07 16:15 UTC
Vote for approval (7 days)
-
Start time: 2026-01-07 16:15 UTC
-
End time: 2026-01-14 16:15 UTC
Ben Wilson
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com.
黃晟(orca)
TWCA votes “Yes” on ballot SC-096.
Regards,
Sean Huang
Senior R&D Engineer
TEL:02-2370-8886#728
FAX:02-2388-6720
Email:or...@twca.com.tw
10F., No. 85, Yanping South Road,
Taipei, Taiwan (R.O.C.)
--
Dimitris Zacharopoulos (HARICA)
Pedro FUENTES
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/a488387b-2794-45cd-8e04-b6e474461cdf%40harica.gr.
Marco Schambach
IdenTrust votes “Yes” on SC-096:
Marco S.
TrustID Program Manager
--
郭宗閔
Chunghwa Telecom votes “Yes” on SC-096.
Regards,
Tsung-Min Kuo
Chunghwa Telecom Co., Ltd.
From: 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Thursday, January 8, 2026 12:14 AM
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate
WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [外部郵件][Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
--
You received this message because you are subscribed to the Google
Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
sde...@godaddy.com
GoDaddy votes Yes on SC-096.
Cheers,
Steven
From:
'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Wednesday, January 7, 2026 at 11:14
AM
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Summary DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging. This ballot aims to carve-out the logging requirements
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
--
Tom Zermeno
SSL.com votes “Yes” on SC-096.
From: 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, January 7, 2026 10:14 AM
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Summary
--
Scott Rea
Date: Wednesday, 7 January 2026 at 8:14 PM
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
|
CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.
|
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com.
Nome Huang
Martijn Katerbarg
Date: Wednesday, 7 January 2026 at 17:14
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Adriano Santoni
Regards.
qi_ji...@itrus.com.cn
Date: 2026-01-08 00:14Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Aaron Poulsen
성지은 Jieun Seong
Date: 2026/01/08 01:14:16
From: "'Martijn Katerbarg' via Server Certificate WG (CA/B Forum)"
To: "'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum)"
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com.
大野 文彰
SECOM Trust Systems votes YES on Ballot SC-096.
Best regards,
ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.
From: 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Thursday, January 8, 2026 1:14 AM
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Summary
--
Dimitris Zacharopoulos (HARICA)
Voting for this ballot ends on 2026-01-13 16:15:00 UTC.
Peter Miškovič
Hi Dimitris,
what is the reason that the voting should end a day earlier than it is listed there - End time: 2026-01-14 16:15 UTC?
Regards
Peter Miskovic
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/969a7660-e5d3-4278-9b57-6934cf852154%40harica.gr.
Backman, Antti
//Antti
Dimitris Zacharopoulos
DZ.
Jan 13, 2026 14:03:22 'Peter Miškovič' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/683b391a4f6f468ba37b837f37038531%40disig.sk.
Entschew, Enrico
D-Trust votes „Yes“ on Ballot SC-096.
Thanks,
Enrico
--
Peter Miškovič
Hi Dimitris,
if you mean „SC-096: Carve-out for DNSSEC verification logging requirements“, then the end date is as I mentioned - 2026-01-14 16:15 UTC
Voting ends 2026-01-15 16:15 UTC is for SC094v2: DNSSEC exception in email DCV methods.
Regards
Peter
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/f13c8270-8657-4888-9f84-a9d037bb5a81%40harica.gr.
Dimitris Zacharopoulos
Voting End time: 2026-01-14 16:15 UTC
DZ.
Jan 13, 2026 14:33:17 'Peter Miškovič' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/b001fe82d14b4aa89120222c11e27547%40disig.sk.
Christophe Bonjean
GlobalSign votes “Yes” on Ballot SC-096.
Christophe
--
Kateryna Aleksieieva
Certum votes YES on Ballot SC-096
Kind regards,
Kateryna Aleksieieva
Tim Hollebeek
Summary
DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.
This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.
The following motion has been proposed by Martijn Katerbarg (Sectigo) and endorsed by Roman Fischer (SwissSign) and Ben Wilson (Mozilla).
Motion Begins
MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:
Motion Ends
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
Vote for approval (7 days)
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com.
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
Yoshihiko Matsuo
Yoshihiko Matsuo(JPRS)
On Wed, 7 Jan 2026 16:14:05 +0000
> Summary
>
> DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.
>
> This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.
>
> The following motion has been proposed by Martijn Katerbarg (Sectigo) and endorsed by Roman Fischer (SwissSign) and Ben Wilson (Mozilla).
>
> Motion Begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:
>
> Motion Ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
>
> Discussion (at least 7 days)
>
>
> Vote for approval (7 days)
>
Dustin Hollenback
On Jan 7, 2026, at 8:14 AM, 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> wrote:
Summary
DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.
This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.
The following motion has been proposed by Martijn Katerbarg (Sectigo) and endorsed by Roman Fischer (SwissSign) and Ben Wilson (Mozilla).
Motion Begins
MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:
Motion Ends
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
Vote for approval (7 days)
Wayne Thayer
Peter Miškovič
Disig votes „YES“ on ballot „SC-096: Carve-out for DNSSEC verification logging requirements“
Regards
Peter Miskovic
From: 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: streda 7. januára 2026 17:14
To: 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Summary
jun....@cybertrust.co.jp
-----Original Message-----
From: 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
Summary
DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.
This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.
The following motion has been proposed by Martijn Katerbarg (Sectigo) and endorsed by Roman Fischer (SwissSign) and Ben Wilson (Mozilla).
Motion Begins
MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
Vote for approval (7 days)
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com <https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer> .
Alvin Wang
Summary
DCV/CAA logging currently is defined very broadly, leaving it unclear if DNSSEC verification logs are in scope or not. Additionally, DNS resolvers are not built for extensive logging.
This ballot aims to carve-out the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not.
The following motion has been proposed by Martijn Katerbarg (Sectigo) and endorsed by Roman Fischer (SwissSign) and Ben Wilson (Mozilla).
Motion Begins
MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.1.9 as specified in the following redline:
Motion Ends
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
Vote for approval (7 days)
Josselin ALLEMANDOU
Certigna votes “YES” on Ballot SC-096.
Josselin.
De : 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Envoyé : mercredi 7 janvier 2026 17:14
À : 'Dimitris Zacharopoulos (HARICA)' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Objet : [Servercert-wg] Voting Period Begins: SC-096: Carve-out for DNSSEC verification logging requirements
⚠ FR : Ce message provient de l'extérieur de l'organisation. N'ouvrez pas de liens ou de pièces jointes à moins que vous ne sachiez que le contenu est fiable. ⚠
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/SA1PR17MB650347AB4795BA7FF0A97425E384A%40SA1PR17MB6503.namprd17.prod.outlook.com.