2025-04-03 Final Minutes of the validation-sc

292 views

Skip to first unread message

Corey Bonnell

unread,

Apr 17, 2025, 1:17:54 PMApr 17

to valid...@groups.cabforum.org

Here are the final minutes of the meeting described in the subject as recorded by Ben Wilson and approved during the 2025-04-17 meeting of the validation-sc.

Thanks,

Corey

# CA/B Forum – Validation Subcommittee Meeting Minutes

**Date:** 3 April 2025
**Chair:** Corey Bonnell
**Minutes Taken By:** Ben Wilson

---

## 1. Roll Call and Housekeeping

- Meeting called to order by Corey Bonnell.
- Attendees: Aaron Poulsen - (Amazon), Ben Wilson - (Mozilla), Bruce Morton - (Entrust), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Doug Beattie - (GlobalSign), Dustin Hollenback - (Microsoft), Gregory Tomko - (GlobalSign), Henry Birge-Lee - (Private person), Jaime Hablutzel - (OISTE Foundation), Johnny Reading - (GoDaddy), Kateryna Aleksieieva - (Asseco Data Systems SA (Certum)), Kate Xu - (TrustAsia), Kiran Tummala - (Microsoft), Luis Cervantes - (SSL.com), Mahua Chaudhuri - (Microsoft), Martijn Katerbarg - (Sectigo), Michael Slaughter - (Amazon), Michelle Coon - (OATI), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Nome Huang - (TrustAsia), Pekka Lahtiharju - (Telia Company), Rollin Yu - (TrustAsia), Roman Fischer - (SwissSign), Scott Rea - (eMudhra), Thomas Zermeno - (SSL.com), Tobias Josefowitz - (Opera Software AS), Trevoli Ponds-White - (Amazon), Wayne Thayer - (Fastly)
- Participants were reminded of compliance with the CA/B Forum Bylaws, Antitrust Policy, Code of Conduct, and IPR Policy.

---

## 2. Approval of Minutes

- No minutes were approved during this meeting.
- Prior meeting minutes (face-to-face) taken by Michael Slaughter are pending confirmation before circulation and approval.

---

## 3. Agenda Review

**Topics:**

1. Follow-up on DNSSEC-based domain validation
2. Draft ballot to sunset issuance of certificates for `.arpa` domain names
3. Backlog grooming

No additional agenda topics were proposed.

---

## 4. DNSSEC-based Domain Validation

- Clint Wilson plans to move the ballot into the discussion period next week.
- Effective date in the current draft: **15 November 2025**.
- Feedback encouraged either before or during the discussion period.

---

## 5. Sunsetting `.arpa` Certificates

- Corey shared draft ballot ([GitHub Issue #153](https://github.com/cabforum/servercert/issues/153)).
- The `.arpa` TLD is reserved for infrastructure-related use (e.g., reverse DNS) and is not suitable for TLS certificates.
- Although previously unused, recent issuance activity was discovered.
- Proposed sunset effective date: **15 September 2025**.
- **Endorsers:** Clint Wilson and Tobias Josefowitz.
- Corey to allocate ballot number (likely **SC86**) and proceed.

---

## 6. Backlog Grooming – [GitHub Project Review](https://github.com/orgs/cabforum/projects/1/views/1)

### a. [CA as Subscriber - Shared Definitions WG](https://github.com/cabforum/servercert/issues/366)
- Awaiting progress from the Definitions WG.

### b. [Country Name in DV Certificates](https://github.com/cabforum/servercert/issues/457)
- General agreement to prohibit `countryName` in DV certificates.
- **Action:** Martijn Katerbarg to file a new Server Cert WG issue to track.

### c. [Delegated DNS Validation](https://github.com/cabforum/servercert/issues/362)
- Related to work led by Michael Slaughter. Kept open.

### d. [Standard CAA Semantics](https://github.com/cabforum/servercert/issues/353)
- Ongoing ballot work led by Wayne Thayer. Kept open.

### e. [ARPA Clarification](https://github.com/cabforum/servercert/issues/153)
- Addressed by the `.arpa` sunset ballot. Now in motion.

### f. [EV Certificate Automation](https://github.com/cabforum/servercert/issues/467)
- Discussion on automating EV issuance and validation.
- Agreement that it is feasible under current guidelines.
- Doug Beattie to follow up with Eva (GlobalSign).
- Interested participants: Ben Wilson, Clint Wilson.

### g. [CAA for `.onion` Domains](https://github.com/cabforum/servercert/issues/448)
- Awaiting RFC publication.
- Will revisit upon finalization.

### h. [Registrar Domain Challenge-Response DCV Method](https://github.com/cabforum/servercert/issues/351)
- Original proposal unclear and overlaps with Method 12.
- Security modeling concerns noted.
- **Resolution:** Close issue unless reintroduced with clearer rationale.

### i. [Technically Constrained SubCAs – Validation Lifespan](https://github.com/cabforum/servercert/issues/326)
- Issue remains relevant but not high priority.
- Retained in backlog for future attention.
- Clarified that this is **not** an Apple Root Program action item.

### j. [Analyze Disclosures of Jurisdiction of Incorporation](https://github.com/cabforum/servercert/issues/363)
- Issue # 363 is duplicative of Issue #355 (below)
- **Resolution:** Closed.

### k. [LEIs in Subject Fields](https://github.com/cabforum/servercert/issues/354)
- Interest expressed by Certum and others.
- **Action:** Kateryna Aleksieieva to follow up with Stephen Davidson.

### l. [Standardization of State/Province Names](https://github.com/cabforum/servercert/issues/364)
- Longstanding issue without clear path forward.
- **Resolution:** Closed.

### m. [Allow List of Registration Agencies](https://github.com/cabforum/servercert/issues/355)
- Reframed as a **non-exhaustive resource**, not a normative requirement.
- **Action:** Ben Wilson to drive this effort.
- Title updated to clarify purpose and avoid "allow list" terminology.

---

## 7. Next Steps

- Next meeting: April 17, 2025
- Anticipated topics:
- Continued backlog review, starting with: _"Ensure CAs collect sufficient data to investigate CAA errors"_
- Updates on ballots including DNSSEC and `.arpa` proposals.

---

## 8. Adjournment

- Meeting adjourned

Reply all

Reply to author

Forward

0 new messages