[Discussion] Ballot SMC014: DNSSEC for CAA

[Stephen Davidson]

Ballot SMC014: DNSSEC for CAA

 

Summary: 

Updated with minor corrections.

 

This ballot introduces requirements that a Certificate Issuer MUST deploy DNSSEC validation back to the IANA DNSSEC root trust anchor on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective, effective March 15, 2026.

 

The ballot is intended to maintain consistency in the S/MIME Baseline Requirements with the requirements of Ballot SC-085 which implemented identical requirements in the TLS Baseline Requirements. 

 

Note: SC-085 also introduced requirements in TLS Baseline Requirements for the use of DNSSEC in domain control validation. These requirements are automatically adopted in the S/MIME BR by the email domain control methods that include a normative reference to section 3.2.2.4 of the TLS Baseline Requirements.

 

The draft also includes minor corrections to web links in the text.

 

This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Client Wilson (Apple) and Ashish Dhiman (GlobalSign).

 

— Motion Begins —

 

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”), based on Version 1.0.10.

MODIFY the Baseline Requirements as specified in the following Redline:

 

https://github.com/cabforum/smime/compare/59687c5e3835f889cdbb0ff0f0a24cfffc684084...5feb1c76b8513dfb54111463eeff681be381f151

 

— Motion Ends —

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (at least 7 days)

 

• Start time: August 27, 2025 at 17:00:00 UTC
• End time: September 3, 2025 at 17:00:00 UTC

 

[Dimitris Zacharopoulos (HARICA)]

Dear Members,

Please note the discussion around DNSSEC in Domain Validation methods relying on emails. I suggest to postpone the adoption of the DNSSEC ballot as-is, without the necessary clarifications around those Domain Validation methods.


Thank you,
Dimitris.

--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/BL1PR14MB51437032ED88C664FBEB1CF7E538A%40BL1PR14MB5143.namprd14.prod.outlook.com.

[Dimitris Zacharopoulos (HARICA)]

Actually, I just realized that this is about CAA and not the Domain Validation methods in general, so please disregard my last email :)

Thanks,
Dimitris.

[Martijn Katerbarg]

Note though, since the SBRs pull in section 3.2.2.4, the DNSSEC for DV language, is presumably imported automatically.

From: 'Dimitris Zacharopoulos (HARICA)' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Date: Tuesday, 2 September 2025 at 08:19
To: smcwg-...@groups.cabforum.org <smcwg-...@groups.cabforum.org>
Subject: Re: [Smcwg-public] [Discussion] Ballot SMC014: DNSSEC for CAA

This Message Is From an External Sender

This message came from outside your organization.

Report Suspicious

 

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/d16ad304-9fff-4c0d-b836-2fcde3bc2bde%40harica.gr.

[Dimitris Zacharopoulos (HARICA)]

On 9/2/2025 12:05 PM, 'Martijn Katerbarg' via S/MIME Certificate WG - Public (CA/B Forum) wrote:

Note though, since the SBRs pull in section 3.2.2.4, the DNSSEC for DV language, is presumably imported automatically.

That's a good observation Martijn, thank you. In that case, the SMCWG should monitor the discussions of the SCWG closely and be ready to make adjustments as needed, if the issue is not properly addressed in the SCWG before the effective date.


Best regards,
Dimitris.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/SA1PR17MB650310ACDE3ECA355026A377E306A%40SA1PR17MB6503.namprd17.prod.outlook.com.

[Stephen Davidson]

Thanks Dimitris and Martijn.

This ballot deals with the DNSSEC for CAA aspect in the S/MIME BR. 

The DNSSEC for DCV aspect is inherited by the S/MIME BR sections that call out to the TLS BR sections for DCV.

 

Depending on the outcome of the discussion over at ServerCert WG regarding emails, we may need to do another ballot later relating to our method 3.2.2.2.

 

We should not hold up this ballot as it has an implementation date.

 

Best, Stephen

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/bcc01362-83ed-4928-b864-e64dea26d022%40harica.gr.

[Stephen Davidson]

Ballot SMC014: DNSSEC for CAA

 

Summary: 

 

This ballot introduces requirements that a Certificate Issuer MUST deploy DNSSEC validation back to the IANA DNSSEC root trust anchor on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective, effective March 15, 2026.

Voting for Approval

• Start time: September 3, 2025 at 17:00:00 UTC
• End time: September 10, 2025 at 17:00:00 UTC

 

[Hazhar Ismail]

MSC Trustgate votes YES on SMC014

Warm regards,

Hazhar Ismail

 

---

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Sent: Thursday, 4 September, 2025 12:00 AM
To: smcwg-...@groups.cabforum.org <smcwg-...@groups.cabforum.org>
Subject: [Smcwg-public] [Voting for Approval] Ballot SMC014: DNSSEC for CAA

 

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/BL1PR14MB51431CC509BB4715DBD26D0CE501A%40BL1PR14MB5143.namprd14.prod.outlook.com.

[Nome Huang]

TrustAsia votes YES on SMC014

[Stefan Selbitschka]

rundQuadrat votes YES on SMC014.

regards
stefan

On 9/3/25 18:00, 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) wrote:
> *Ballot SMC014: DNSSEC for CAA *
>
> /Summary: /

>
> This ballot introduces requirements that a Certificate Issuer MUST deploy DNSSEC validation back to
> the IANA DNSSEC root trust anchor on all DNS queries associated with CAA record lookups performed by
> the Primary Network Perspective, effective March 15, 2026.
>
> The ballot is intended to maintain consistency in the S/MIME Baseline Requirements with the
> requirements of Ballot SC-085 which implemented identical requirements in the TLS Baseline
> Requirements.
>
> Note: SC-085 also introduced requirements in TLS Baseline Requirements for the use of DNSSEC in
> domain control validation. These requirements are automatically adopted in the S/MIME BR by the
> email domain control methods that include a normative reference to section 3.2.2.4 of the TLS
> Baseline Requirements.
>
> The draft also includes minor corrections to web links in the text.
>
> This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Client Wilson (Apple) and
> Ashish Dhiman (GlobalSign).
>
> — Motion Begins —
>
> This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted
> S/MIME Certificates” (“S/MIME Baseline Requirements”), based on Version 1.0.10.
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
> https://github.com/cabforum/smime/

> compare/59687c5e3835f889cdbb0ff0f0a24cfffc684084...5feb1c76b8513dfb54111463eeff681be381f151<https://
> github.com/cabforum/smime/
> compare/59687c5e3835f889cdbb0ff0f0a24cfffc684084...5feb1c76b8513dfb54111463eeff681be381f151>

>
> — Motion Ends —
>
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as
> follows:
>

> *Discussion (at least 7 days)*
>
> * Start time: August 27, 2025 at 17:00:00 UTC
> * End time: September 3, 2025 at 17:00:00 UTC
>
> *Voting for Approval*
>
> * Start time: September 3, 2025 at 17:00:00 UTC
> * End time: September 10, 2025 at 17:00:00 UTC

>
> --
> You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG -
> Public (CA/B Forum)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-

> public+un...@groups.cabforum.org <mailto:smcwg-public...@groups.cabforum.org>.

> To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/

> BL1PR14MB51431CC509BB4715DBD26D0CE501A%40BL1PR14MB5143.namprd14.prod.outlook.com <https://
> groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/
> BL1PR14MB51431CC509BB4715DBD26D0CE501A%40BL1PR14MB5143.namprd14.prod.outlook.com?
> utm_medium=email&utm_source=footer>.

[黃晟(orca)]

TWCA votes YES on SMC014.

 

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Thursday, September 4, 2025 12:00 AM
To: smcwg-...@groups.cabforum.org

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/BL1PR14MB51431CC509BB4715DBD26D0CE501A%40BL1PR14MB5143.namprd14.prod.outlook.com.

[Tom Zermeno]

SSL.com votes “Yes” on SMC014.

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Wednesday, September 3, 2025 11:00 AM
To: smcwg-...@groups.cabforum.org

--

[Kateryna Aleksieieva]

Certum votes YES on Ballot SMC014

 

Kind regards,

Kateryna Aleksieieva

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Wednesday, September 3, 2025 6:00 PM
To: smcwg-...@groups.cabforum.org

--

[Clint Wilson]

Apple votes Yes on SMC014.

[Ashish Dhiman]

GlobalSign votes Yes on SMC014

 

Ashish

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: 03 September 2025 21:30
To: smcwg-...@groups.cabforum.org

--

[Bruce Morton]

Entrust abstains from ballot SMC014.

 

 

Bruce.

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Wednesday, September 3, 2025 12:00 PM
To: smcwg-...@groups.cabforum.org

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/BL1PR14MB51431CC509BB4715DBD26D0CE501A%40BL1PR14MB5143.namprd14.prod.outlook.com.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Marco Schambach]

IdenTrust votes “Yes”

 

Marco S.

TrustID Program Manager

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Wednesday, September 3, 2025 12:00 PM
To: smcwg-...@groups.cabforum.org

--

[Pedro FUENTES]

OISTE votes yes to SMC014

 

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/SJ0PR09MB625617DEB3FFF0A9C924053EE70CA%40SJ0PR09MB6256.namprd09.prod.outlook.com.

[Dimitris Zacharopoulos (HARICA)]

HARICA votes "yes" to ballot SMC014.

--

[Ben Wilson]

Mozilla votes "Yes" for Ballot SMC-014.

--

[Alvin Wang]

SHECA votes YES on SMC014

[Tim Hollebeek]

DigiCert votes YES on SMC-014.

 

-Tim

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Wednesday, September 3, 2025 12:00 PM
To: smcwg-...@groups.cabforum.org

--

[大野 文彰]

SECOM Trust Systems votes YES on Ballot SMC014.

 

Best regards,

 

ONO Fumiaki / 大野 文彰

SECOM Trust Systems CO., LTD.

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>

Sent: Thursday, September 4, 2025 1:00 AM
To: smcwg-...@groups.cabforum.org

--

[Adriano Santoni]

Actalis votes YES.

Regards.

Il 03/09/2025 18:00, 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) ha scritto:

External sender. Verify for authenticity before opening any links or attachments.

--

[Martijn Katerbarg]

Sectigo votes YES on SMC-014

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Date: Wednesday, 3 September 2025 at 18:00
To: smcwg-...@groups.cabforum.org <smcwg-...@groups.cabforum.org>
Subject: [Smcwg-public] [Voting for Approval] Ballot SMC014: DNSSEC for CAA

This Message Is From an External Sender

This message came from outside your organization.

Report Suspicious

 

Ballot SMC014: DNSSEC for CAA

--

[Michael Guenther]

[peter.mez...@gmail.com]

Disig votes "YES" on Ballot SMC014: DNSSEC for CAA.

Regards

Peter Miskovic

Dátum: streda 3. septembra 2025, čas: 18:00:28 UTC+2, odosielateľ: Stephen Davidson

[Scott Rea]

eMudhra Votes Yes to SMC014

 

From: 'Stephen Davidson' via S/MIME Certificate WG - Public (CA/B Forum) <smcwg-...@groups.cabforum.org>
Date: Wednesday, 3 September 2025 at 12:00 

PM
To: smcwg-...@groups.cabforum.org <smcwg-...@groups.cabforum.org>
Subject: [Smcwg-public] [Voting for Approval] Ballot SMC014: DNSSEC for CAA

CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.

 

--

You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smcwg-public...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/BL1PR14MB51431CC509BB4715DBD26D0CE501A%40BL1PR14MB5143.namprd14.prod.outlook.com.

Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.

[Martijn Katerbarg]

NOTICE OF REVIEW PERIOD
This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.3). This Review Period of 30 days is for one Final Maintenance Guidelines. The complete Draft Maintenance Guideline that is the subject of this Review Notice is attached to this email, both in red-line and changes-accepted draft format, in Word and PDF versions.

Summary of Review
Ballot for Review: SMC014: DNSSEC for S/MIME

Start of Review Period: 2025-09-10 18:00:00 UTC
End of Review Period: 2025-10-10 18:00:00 UTC

Members with any Essential Claim(s) to exclude must forward a written Notice to Exclude Essential Claims to the Working Group Chair and also submit a copy to the CA/B Forum public mailing list (email to public at cabforum.org) before the end of the Review Period.
For details, please see the current version of the CA/Browser Forum Intellectual Property Rights Policy.
(An optional template for submitting an Exclusion Notice is available at https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf)