Final minutes for Validation Subcommittee teleconference - May 29, 2025
Corey Bonnell
These are the final minutes of the Validation Subcommittee teleconference on May 29, 2025, as captured by Janet Hines and approved at the validation-sc meeting on June 12, 2025.
Meeting Date: May 29, 2025
Attendees: Adriano Santoni - (Actalis S.p.A.), Ben Wilson - (Mozilla), Bineesh Ambali Vadakkekandi - (Microsoft), Bruce Morton - (Entrust), Chris Clements - (Google), Clint Wilson - (Apple), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI), Cynethia Brown - (US Federal PKI Management Authority), Gregory Tomko - (GlobalSign), Henry Birge-Lee - (Henry Birge-Lee (Private person)), Iñigo Barreira - (Sectigo), Jaime Hablutzel - (OISTE Foundation), Janet Hines - (VikingCloud), Johnny Reading - (GoDaddy), Kateryna Aleksieieva - (Asseco Data Systems SA (Certum)), Kate Xu - (TrustAsia), Li-Chun Chen - (Chunghwa Telecom), Mahua Chaudhuri - (Microsoft), Martijn Katerbarg - (Sectigo), Michael Slaughter - (Amazon), Michelle Coon - (OATI), Nargis Mannan - (VikingCloud), Nate Smith - (GoDaddy), Nome Huang - (TrustAsia), Ono Fumiaki - (SECOM Trust Systems), Ryan Dickson - (Google), Scott Rea - (eMudhra), Steven Deitte - (GoDaddy), Tobias Josefowitz - (Opera Software AS), Trevoli Ponds-White - (Amazon), Wayne Thayer - (Fastly), Wendy Brown - (US Federal PKI Management Authority)
Corey Bonnell read the Note Well.
Janet Hines was assigned the minute taker.
Approval of Minutes:
Meeting minutes from the May 15, 2025, meeting taken by Scott Rea were approved.
Agenda:
F2F Planning
- How much time do we need?
- What do we want to talk about?
- CA-assisted validation
- Anything else?
Ballot Updates:
SC-085: Require DNSSEC (when present) for CAA and DCV Lookups
- Has moved to the Server Certificate Working Group and started the discussion period.
F2F Planning:
[Note: The order that these are listed is the order that we agreed to discuss them at the F2F.]
- (SC-82 redux) CA-assisted validation method changes in the ballot will be summarized and discussed as needed. (30 minutes)
- Validation Summit discussion high level planning
- Wayne Thayer posed the question about where we left the discussion about having another validation summit discussion.
- Can we use the time at the F2F for planning and ideas for how to move forward on this item?
- Would we like to review in a holistic way or using some open MPIC implementation insights for review of methods?
- Would we like an anonymous poll from CAs on volume for the various domain validation methods in place today? There currently is disclosure in CCADB on domain validation methods used but not any data on frequency of use.
- At the F2F we will open this discussion to the larger community to discuss how to best move forward.
- TLD Requirements in BRs
- Trevoli Ponds-White brought the topic on the validation rules being vague in this area.
- Could this be lifted now that we have done away with the domain validation using “any other method”?
- Henry Birge-Lee brought up the interesting interplay between TLD and CAA records. Need some clarity on when and how a TLD can be signed and what implications it has to domain owners at that TLD.
- High Risk Requirements
- Trev brought the topic on the validation rules being vague in this area as well.
- Baseline Requirements Section 4.2.1, CA needs to have additional verification activity for high-risk certificate requests.
- What is the goal of the high-risk additional verification, and does it really need to be a requirement?
- Clint Wilson – The last change in this area has the current high-risk rejections being stored in a database. Only internally auditable and conceptually good to have, but not externally measurable without consistent implementation.
- If time permits, we can look through the backlog for a high priority item to discuss.