Final minutes of 2025-04-17 Validation sub-committee meeting

272 views
Skip to first unread message

Corey Bonnell

unread,
May 15, 2025, 12:03:53 PMMay 15
to valid...@groups.cabforum.org

Here are the final minutes of the meeting as indicated in the subject and recorded by Thomas Zermeno and approved at the 2025-05-15 validation-sc meeting.

 

# CA/B Forum – Validation Subcommittee Meeting Minutes

 

**Meeting Title:** CA/Browser Forum Validation Subcommittee

**Date:** 17 April 2025 

**Chair:** Corey Bonnell 

**Minutes Taken By:** Thomas Zermeno

 

 

---

 

## 1. Roll Call and Housekeeping

 

- Meeting called to order by Corey Bonnell.

- Attendees: Kateryna Aleksieieva (Certum by Asseco), Stephen Davidson (DigiCert), Pekka Lahtiharju (Telia), Enrico Entschew             (D-TRUST), Jaime Hablutzel [WISeKey], Corey Bonnell (DigiCert), Chris Clements                (Google), Dustin Hollenback (Microsoft), Eric Kramer (Sectigo), Yamian Quintero (Microsoft), Karina Sirota Goodley (Microsoft), Thomas Zermeno (SSL.com), Yamian Quintero (Microsoft), Michael Slaughter (Amazon Trust Services), Roman Fischer (SwissSign), Greg Tomko (GlobalSign), Scott Rea (eMudhra), Eric Kramer (Sectigo), Mahua Chaudhuri (Microsoft), Kate Xu (TrustAsia), Steven Deitte (GoDaddy), Rollin Yu (TrustAsia), Ben Wilson (Mozilla), Nargis Mannan (Viking Cloud), Stephen Davidson (DigiCert), Wendy Brown (FPKIMA), Luis Cervantes (SSL.com), Rebecca Kelley (SSL.com), Li-Chun Chen (Chunghwa Telecom), Ryan Dickson (Google Chrome), Martijn Katerbarg (Sectigo), Corey Rasmussen (OATI), Doug Beattie (Globalsign), Henry Birge-Lee (Interested Party), Nate Smith (GoDaddy), Trevoli Ponds-White (Amazon Trust Services), Nome-Huang (TrustAsia), Wayne Thayer (Fastly), Michelle Coon (OATI)

 

- Notewell read by Corey Bonnell.

 

 

---

 

## 2. Approval of Minutes

 

- Face to Face minutes were only recently circulated, so they will be approved at a later date.

- April 3, 2025 meeting minutes were approved.

 

---

 

## 3. Agenda Review

 

**Topics:**

 

1. Resume discussion on the next iteration of SC-082

2. SC-085 - DNS Sec Ballot

3. Resume backlog grooming.

 

 

No additional agenda topics were proposed.

 

---

 

## 4. SC-082: CA Assisted Domain Validation - Michael Slaughter

 

- Proposed 3.2.2.4.22 DNS Change with Static Value utilizes a DNS Text Authorization Domain with an underscore prefix, similar to method 7.

- Text is not finalized; open to feedback/nits/phrasing, etc.

- Initial focus on DNS Text; CAA, CNAME methods to be addresses later.

- Method utilizes CA Identifier and AccountURI, but there were concerns about publishing the public key in DNS text, mainly agility and handling of large amounts of text in DNS records. Slaughter may amend the method to use a hash of the key, or entirely removing the option.

- Regarding validation reuse period reduction Slaughter proposed using the period defined in SC-081, instead of having multiple reduction periods for different methods. Matching CAA was also considered, but CAs would need to check with development teams to determine if this was a viable consideration.

- Regarding the definition of "accounts" on the CA side, would it be best to leave the term undefined with a reference to RFC 8657 or to nail down a scoped meaning. There was no strong push to have a formal definition within the ballot.  Likely, a reference to the RFC will be used.

- DNSSEC will not be addressed in this ballot; leaving that for future ballot SC-085.

- An effective date for the ballot is required, but not yet specified.

 

---

 

## 5. SC-085: DNSSEC updates - Henry Birge-Lee

 

- Gave an update of the status of the ballot text and clarified that references to SHA-2 and NSEC 3 RFCs would be preferable to RFC 6840.

- Added text that CAs MUST not use local policy to disable DNSSEC validation for domains related to domain authorization or control.

- RFC 4035 has outdated language about the DNS message size; large messages (4k bytes) can cause fragmentation that leads to vulnerabilities. The ballot will have a SHOULD recommendation to use a more manageable size.

- Clarification that the terms "bogus" and "indeterminate" don't need to be distinguished

- Rather than pointing to previous RFCs with obsolete advice, it was deemed better to specifically declare requirements. 

- Effective dates will be considered in later calls

 

---

 

## 6. Backlog Grooming

-no time for this topic.

 

--

 

## 7. Adjournment

 

- Meeting adjourned

 

Reply all
Reply to author
Forward
0 new messages