Discussion period begins: SC-86v3: Sunset the Inclusion of Domain Names with an IP Reverse Zone Suffix

[Corey Bonnell]

Purpose of Ballot

 

The IP Reverse Address Domain Names (“in-addr.arpa” and “ip6.arpa”) are components of the Internet infrastructure and are not intended to include hostnames. As a result, it is undesirable to permit the issuance of publicly trusted TLS certificates containing hostnames under “in-addr.arpa” and “ip6.arpa”. This ballot establishes a sunset on this practice.

 

Motion

 

The following motion has been proposed by Corey Bonnell (DigiCert) and endorsed by Clint Wilson (Apple) and Tobias Josefowitz (Opera).

 

Motion Begins

 

MODIFY the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“TLS Baseline Requirements”) based on Version 2.1.7 as specified in the following redline:

 

https://github.com/cabforum/servercert/compare/b6a014d4aee244c019ef6ca41667045cdbfefb81...b249b191249e834aeffb32dc633249ad55658e1a

 

Motion Ends

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (at least 7 days)

 

Start time: 2025-10-23 11:30 UTC

End time: Not before 2025-10-30 11:30 UTC

 

Vote for approval (7 days)

 

Start time: TBD

End time: TBD