Voting Period Begins: Ballot SC-098v2: Process RFC 8657 CAA Parameters
Wayne Thayer
Ballot SC-098v2: Process RFC 8657 CAA Parameters
Summary of the Ballot
This ballot adds the requirement that CAs process the Certification Authority Authorization (CAA) parameters defined in RFC 8657. These parameters allow the issuance policy specified by a CAA record to include the account and domain validation methods that may be used to issue a certificate for the subject domain.
The ballot defines a syntax for specifying non-ACME domain validation methods in section 4.2.2.1.3.
CAs supporting non-ACME accounts must document the accepted accounturi format in their CP or CPS.
These requirements take effect on March 15, 2027.
The ballot also consolidates CAA requirements into section 4.2.1.
Summary of Discussion
- This ballot has undergone extensive discussion in the Validation Working Group dating back to 2024, and in https://github.com/cabforum/servercert/pull/567.
- The full value of the CAA extensions defined in RFC 8657 will only be realized if CAs process the parameters rather than ignoring them.
- We originally considered including DNSSEC requirements in this ballot but decided to separate them into ballot SC-085.
- Consensus formed that Non-ACME validation methods must use a specific syntax to avoid conflicts and provide consistency across CAs.
- An allowance was added for ACME CAs to recognize “parent” accounts that authorize multiple ACME accounts.
Special thanks to Grace Cimaszewski for helping to move this ballot forward.
The following motion has been proposed by Wayne Thayer (Fastly) and endorsed by Chris Clements (Google) and Ben Wilson (Mozilla).
--- Motion Begins ---
This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“Baseline Requirements”), based on Version 2.2.6
--- Motion Ends ---
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
Start time: 2026-04-27 00:00 UTC
End time: 2026-05-04 15:00 UTC
Vote for approval (7 days)
Start time: 2026-05-04 15:00 UTC
End time: no earlier than 2026-05-11 15:00 UTC
Wayne Thayer
Ben Wilson
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/e07bd688-34e1-43ac-8a15-37e1d13aafdan%40groups.cabforum.org.
黃晟(orca)
TWCA votes Yes on Ballot on SC-098v2.
Best,
Sean Huang
Senior PKI Compliance Engineer
TEL:02-2370-8886#728
FAX:02-2388-6720
Email:or...@twca.com.tw
10F., No. 85, Yanping South Road,
Taipei, Taiwan (R.O.C.)
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
Hogeun Yoo
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAPh8bk9RPqfW-UPRTmV7xbupKDiXKASgm4Vw0g05ZBEgwq-HYQ%40mail.gmail.com.
Backman, Antti
Date: Monday, 4. May 2026 at 18.00
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-098v2: Process RFC 8657 CAA Parameters
Adriano Santoni
Actalis votes 'Yes' to ballot SC-098v2.
--
Nome Huang
Dimitris Zacharopoulos (HARICA)
HARICA believes this ballot introduces significant complexity, increasing the likelihood that Domain Owners may be prevented from obtaining certificates if the appropriate DNS values are not configured correctly (similar to the issues previously seen with Public Key Pinning). In addition, CAs would be required to implement a complex and operationally challenging set of rules, including considerations for linked accounts and parent–child organizational relationships. Ultimately, we believe that only a limited number of Domain Owners will make use of such restrictions. As complexity increases, so does the likelihood of configuration errors and operational mistakes.
All Domain Validation methods currently included in the Baseline Requirements are considered secure by the SCWG, and Domain Owners should be able to use any of them at any time without the perception that one method is inherently more secure than another. While certain methods may present higher risks than others, the SCWG has agreed to gradually deprecate those methods over time. This should not be interpreted as meaning that the methods scheduled for deprecation are insecure.
As additional validation methods are introduced, Domain Owners who have configured CAA parameters to permit only specific methods will need to revisit and update their DNS records before they can take advantage of the newly introduced methods. This is an additional barrier which can be avoided.
--
jun....@cybertrust.co.jp
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-098v2: Process RFC 8657 CAA Parameters
Ballot SC-098v2: Process RFC 8657 CAA Parameters
Summary of the Ballot
This ballot adds the requirement that CAs process the Certification Authority Authorization (CAA) parameters defined in RFC 8657. These parameters allow the issuance policy specified by a CAA record to include the account and domain validation methods that may be used to issue a certificate for the subject domain.
The ballot defines a syntax for specifying non-ACME domain validation methods in section 4.2.2.1.3.
CAs supporting non-ACME accounts must document the accepted accounturi format in their CP or CPS.
These requirements take effect on March 15, 2027.
The ballot also consolidates CAA requirements into section 4.2.1.
Summary of Discussion
* The full value of the CAA extensions defined in RFC 8657 will only be realized if CAs process the parameters rather than ignoring them.
* We originally considered including DNSSEC requirements in this ballot but decided to separate them into ballot SC-085.
* Consensus formed that Non-ACME validation methods must use a specific syntax to avoid conflicts and provide consistency across CAs.
* An allowance was added for ACME CAs to recognize “parent” accounts that authorize multiple ACME accounts.
Special thanks to Grace Cimaszewski for helping to move this ballot forward.
________________________________
The following motion has been proposed by Wayne Thayer (Fastly) and endorsed by Chris Clements (Google) and Ben Wilson (Mozilla).
--- Motion Begins ---
This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“Baseline Requirements”), based on Version 2.2.6
Redline: https://github.com/cabforum/servercert/compare/168e0aa8cafe753c85a94b5a8f28541beda48201..515ba3533a32aca8042f0a72b4c4af3fbb3eaaf9
--- Motion Ends ---
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
* End time: 2026-05-04 15:00 UTC
Vote for approval (7 days)
* End time: no earlier than 2026-05-11 15:00 UTC
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAPh8bk9RPqfW-UPRTmV7xbupKDiXKASgm4Vw0g05ZBEgwq-HYQ%40mail.gmail.com <https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAPh8bk9RPqfW-UPRTmV7xbupKDiXKASgm4Vw0g05ZBEgwq-HYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> .
Martijn Katerbarg
Date: Monday, 4 May 2026 at 17:00
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-098v2: Process RFC 8657 CAA Parameters
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAPh8bk9RPqfW-UPRTmV7xbupKDiXKASgm4Vw0g05ZBEgwq-HYQ%40mail.gmail.com.
Martijn Katerbarg
Date: Thursday, 7 May 2026 at 07:58
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: Re: [Servercert-wg] Voting Period Begins: Ballot SC-098v2: Process RFC 8657 CAA Parameters
Kateryna Aleksieieva
Certum votes YES on Ballot SC-098v2
Kind regards,
Kateryna Aleksieieva
--
郭宗閔
Chunghwa Telecom votes YES on Ballot SC-098v2.
Regards,
Tsung-Min Kuo
Chunghwa Telecom Co., Ltd., Taiwan (R.O.C.)
From: Wayne Thayer <wth...@gmail.com>
Sent: Monday, May 4, 2026 11:00 PM
To: server...@groups.cabforum.org
Subject: [外部郵件][Servercert-wg] Voting Period Begins: Ballot SC-098v2: Process RFC 8657 CAA Parameters
--
You received this message because you are subscribed to the Google
Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CAPh8bk9RPqfW-UPRTmV7xbupKDiXKASgm4Vw0g05ZBEgwq-HYQ%40mail.gmail.com.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
Chris Clements
Sent: Monday, May 4, 2026 5:00 PM
To: server...@groups.cabforum.org
--
Christophe Bonjean
sde...@godaddy.com
Date: Monday, May 4, 2026 at 11:00 AM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins: Ballot SC-098v2: Process RFC 8657 CAA Parameters
Ballot SC-098v2: Process RFC 8657 CAA Parameters
Pedro FUENTES
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/KUXPR03MB94795627DE1CE390A2C32FAEE53D2%40KUXPR03MB9479.apcprd03.prod.outlook.com.
WISeKey SA