Final minutes for the Validation Subcommittee teleconference - May 15, 2025
Corey Bonnell
Here are the final minutes of the meeting indicated in the subject, as captured by Scott Rea and approved on the May 29th validation-sc call.
Meeting Date: 2025-05-15
Attendees: Aaron Gable (Let's Encrypt), Aneta Wojtczak (Microsoft), Ben Wilson (Mozilla), Bineesh Vadakkekandi (Microsoft), Bruce Morton (Entrust), Chris Clements (Google), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dimitris Zacharopoulos (HARICA), Doug Beattie (Globalsign), Enrico Entschew (D-Trust), Eric Kramer (Sectigo), Gregory Tomko (GlobalSign), Gurleen Grewal (Google), Henry Birge-Lee (Private person), Inigo Barreira (Sectigo), Johnny Reading (GoDaddy), Kate Xu (TrustAsia), Kateryna Aleksieieva (Certum), Luis Cervantes (SSL.com), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Pekka Lahtiharju (Telia), Rebecca Kelly (SSL.com), Rollin Yu (TrustAsia), Ryan Dickson (Google), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera), Trevoli Ponds-White (Amazon), Wendy Brown (US Federal PKI Management Authority), Yamian Quintero (Microsoft)
Corey Bonnell read the Note Well
Scott Rea assigned minute taker in absence of Andrea Holland and/or Janet Hines
Approval of Minutes:
- The 2025-04-17 Meeting of VSC minutes penned by Tom Zermano were approved.
- The 2025-05-01 Meeting of VSC minutes penned by Chris Clements were approved.
Agenda:
1. Continued discussion on SC-82 redux (CA-assisted validation) https://github.com/slghtr-says/servercert/pull/3
2. Continued discussion on SC-85 (DNSSEC) https://github.com/cabforum/servercert/pull/579
3. Backlog grooming (time permitting)
Continued discussion on SC-82 redux (CA-assisted validation) https://github.com/slghtr-says/servercert/pull/3/files:
- Michael Slaughter incorporated feedback from the last few meetings into the draft and is looking for comments and additional feedback. Using the following link in the meeting to review: https://github.com/slghtr-says/servercert/pull/3
- MS: Following the last discussion two weeks ago, we made a number of changes to the ballot text based on various suggestions from various folks, feels like the direction that we're headed in is great. In Summary - 1st, we incorporated Henry's suggestion to use a single well defined label instead of the method seven language of a _prefix subdomain of the authorization domain. Henry also suggested in a follow up email to use the valid_validation-persist label, which is now the text added to the ballot. In order to support this, as was Martin's suggestion, we added a definition for that label and then reference that definition inside the method 22 first opening sentence in order to add that consistency. Also adopted a change to the language to specify "one" instead of "a", as suggested by Wayne.
- MS: Next after various discussions shifted the entirety of the ballot away from the use of the term static/durable and replaced those with persistent and persist, for alignment and clarity. Also merged the PR from Corey that changed the RDATA value to align with CA record language for consistency. So the section 1005 through 1007 now produces a value that is pretty much identical to the CA record language with references to the various RFCs and different sections. Thanks to all for contributions.
- MS: Aaron gave some suggestions on how to make the validation reuse language clear and capture the intent, which is the DNS records validation reuse is the based on the TTL or 8 hrs, whichever is greater, but it cannot exceed the general validation use period specified in 4.21 with explicit alignment to the reducing ceiling.
- MS: Next Steps are wait a week (at most) to incorporate any further feedback before opening the PR at the server cert mainline branch and work on the preamble language to add the background and necessary links to all the docs and supporting comments etc.
- MS: There is one other item seeking to discuss this week: Wayne opened a question about how we want to handle those security discussions and Henry sent out a white paper in this regards that is very helpful to framing the discussion from a security lens. Also wanted to open the discussion to this group about what other open questions, or what other activities or things that we should do or suggested to do in order to push this forward. Will link to the white paper and the preamble to explain all the prior work done and then see what questions result.
- CB: Suggested moving the MUST level requirement out of the note and just putting in its own sentence above it, so there aren't normative requirements in notes.
- MS: Point of Order question, should this, when eventually introduced as a ballot, should it be under a SC 82V2 or should it be a new ballot number? Corey suggested it should be a new Ballot number e.g. SC-088.
- GG: Gurleen raises a question about whether the requirements of section 8.7 (CA Self Audits) would apply to DNSSEC validation should the ballot become effective? If so, then this should be made explicit in the text.
- HB: Henry strongly believes that DNSSEC validation change should not be included in self-audits. Others comment on the ambiguity not being helpful.
- Gurleen to propose a suggestion that would exclude any type of DNS SEC validation chain or DNS SEC signatures from the self-audit.
- HB: Back to Effective Dates: Given prior discussion and comments in respect to effective dates and taking traditional low end of year periods into account, pushing to March might be the best option.
- DH: It would be helpful to have some DNSSEC checking tools in advance of requirements. Some tooling requirements and potentials candidates were discussed.
-Enrico raised an item before group went to Backlog: What is current status of ballot SC-085 about ARPA domains? Corey indicated its actually SC-086 and there is an open question that requires addressing by endorses, which is yet to be finalized.
Final Agenda Item - Backlog:
Starting with Item 356 in Backlog...
- There's an exception in the CAA validation language that if there's a CAA lookup failure, the CA can still issue if it's determined that the error is caused by some hiccup outside the CA infrastructure. But there needs to be better clarity around what needs to be captured in this case.
- There is some discussion about whether events due to community maturity has overtaken this need. Ryan D suggests more specificity is required and would be helpful, doesn't personally have bandwidth, but would not like to see the issue get dropped. Dimitris thinks the audit trail overhead is too much so some work on language is needed. Ryan accepts assignment to work on the item after all. Suggested to perhaps have 2 focuses - one on errors outside CA infrastructure and one on the logging requirements.
Item 384 in Backlog - pending prohibition in the certificate profiles ballot in respect to Key Usage
- Suggestion about splitting data encipherment and key agreement key usage bits. Data encipherments used on for RSA and key agreement would be for ECC. The express proposal is to make the prohibition explicit in the BRs. Martijn accepts the assignment to review.
Item 404 in Backlog - impacts of new validation method. No finalizing of proces in IETF yet so this issue remains not really valid yet. proposed to leave on backlog for another 12 months to see if relevancy materialises.
Item 400 in Backlog - issue from F2F #57 in Berlin around when CSR is needed.
- Aaron agrees to take assignment to review because he is doing symbiotic work in IETF on a potential ACME extension.
Completed all Backlog items review.
Meeting Close