Final Minutes of the Validation Subcommittee Teleconference - 2025-10-30

15 views
Skip to first unread message

Corey Bonnell

unread,
Jan 8, 2026, 11:50:30 AM (3 days ago) Jan 8
to valid...@groups.cabforum.org

Below are the final minutes of the meeting indicated in the subject, as captured by Michael Slaughter and approved at the 2026-01-08 meeting of the validation-sc.

 

# Minutes of the Validation Subcommittee Meeting 2025-10-30

 

## Attendees 

Aaron Gable (Let's Encrypt), Ben Wilson (Mozilla), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Apple), Eduardo Almeida, Eric Kramer (Sectigo), Gurleen Grewal (Google), Henry Birge-Lee (Private person), Johnny Reading (GoDaddy), Kate Xu (TrustAsia), Li-Chun Chen (Chunghwa Telecom), Luis Cervantes (SSL.com), Mahua Chaudhuri (Microsoft), Michael Slaughter (Amazon), Michelle Coon (OATI), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Rebecca Kelly (SSL.com), Rich Smith (DigiCert), Rollin Yu (TrustAsia), Sean Huang (TWCA), Stephen Davidson (DigiCert), Steven Deitte (GoDaddy), Thomas Zermeno (SSL.com), Wayne Thayer (Fastly), Wendy Brown (FPKIMA), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

 

Wayne Thayer hosted the meeting in Corey's absence.

 

## Introduction 

* Wayne read the note well

* Confirmed that the note taker is Michael Slaughter

* The validation SC minutes from F2F 66 were approved

## Topics

Wayne explained that there are three different points that we wanted to prioritize discussing following the face-to-face: 

  1. Develop a term to encompass the concept of both an FQDN and Wildcard Domain Name
  2. Create an "explainer" or table that summarizes the semantics and requirements of each method in terms of allowing/disallowing CNAME chasing, wildcard issuance, or subdomain issuance, etc.
  3. Move normative requirements from "Note" at the bottom of each validation method specification

Wayne explained that based on the F2F minutes, Tim and Martijn took the action to review every instance of FQDN, WDN, and ADN in the BRs and prepare recommended redlines.

 

Aaron brought up https://github.com/cabforum/servercert/pull/619 and explained that discussion on the thread has been ongoing for a while and that Jacob Hoffman-Andrews (Let's Encrypt) has prepared an alternative proposal that would address all three of the points. That PR aims to make the definition of FQDN and WDN more consistent and would also directly address points 2 and 3. 

 

Wayne continued the discussion on https://github.com/cabforum/servercert/pull/619 and said that it matches the scope of what Tobi committed to at the F2F, which was to examine how email-to-ADN validation interacts with CNAME delegation to avoid unintended cross-domain authorization, which would cover point 2. 

 

Aaron replied that the three problems are actually tightly coupled and cannot be addressed independently. He explained some scenarios in which addressing just a single point would raise many other problems since there are many places where the BRs use FQDN to mean ADN or WDN. He stated that some validation methods allow for different parts of the ADN definition, different ADN derivation methods, and have different rules for other aspects such as CNAME following. Jacob's ballot would attempt to address those problems holistically. 

 

Rich stated that he largely agreed with Aaron. He initially left out the FQDN and WDN stuff since it would have vastly increased the scope of his ballot. Rich agreed that all of the issues should be addressed together. 

 

Aaron stated that Jacob's proposal will be slightly controversial not because it's changing anything huge but rather because it might be difficult to review. The proposal touches every validation method and we would have to do the critical analysis to determine if ADN label pruning is allowed for each specific method. 

 

Rich stated that the one goal he'd like to take as we go down this road is to try to give as much flexibility as possible for Subscribers to get their certificates absent any security concerns. Rich is in favor of not restricting things that do not need to be restricted in favor of Subscriber choice. 

 

Wayne explained that the first two points are clearly covered by Jacob's ballot but wanted to make sure the third point was also addressed. Tim at the F2F called out that normative requirements are contained within notes currently and should be relocated. Wayne asked Aaron if that would also be clarified by Jacob's ballot. 

 

Aaron explained that the ADN derivation formula is explicitly added and that there are explicit statements about what each method allows. This would also move the requirements and restrictions from the note into the normative text. 

 

Aaron also brought up another topic related to a comment by Dimitris on https://github.com/cabforum/servercert/pull/619 about section 3.2.2.4.7 (DNS Change). Dimitris called out that method 7 allows for an ADN or an ADN that is prefixed with a label that starts with an underscore, which raises the question: is acme challenge.example.com an ADN or an ADN prefixed with a label? Aaron went on to explain that CAs currently follow CNAMEs from the underscore-prefixed domain and CNAME that label to a cloud provider, but nowhere in the DNS method does it say that you are allowed to follow CNAME records from the ADN you are using. The text says find the CNAME at the ADN, but nothing in the ADN algorithm says you can prepend an underscore-prefixed label then follow that CNAME. We all understand what 3.2.2.4.7 is supposed to say, but Aaron doesn't think it says that right now. 

 

Wayne agreed that it is something we need to fix.

 

Rich asked if there is a security concern related to following CNAMEs for underscore-prefixed subdomains of the ADN. He argued that if there isn't one, the practice should be allowed. 

 

Aaron said he not believe there is a security concern and that we should make it clear that the practice is allowed. 

 

Dimitris said that the text for ADN and the ADN prefixed with an underscore effectively make the terms interchangeable, but we probably need to make it more clear. 

 

Aaron stated that the problem right now is that the definition of ADN says these are additional things that you are allowed to do (prune labels, handle wildcards, follow CNAMEs, etc.). Additionally, 3.2.2.4.7 is also defining an additional thing that you can do (append an underscore-prefixed subdomain), and as a result, it is unclear what you can do with that. 

 

Dimitris asked if the problem was with 3.2.2.4.7 specifically or is something more general with the definition. 

 

Aaron thinks the underscore problem is specific to 3.2.2.4.7 since it allows you to determine an ADN by pruning labels and then attaching an underscore prefix for that ADN. This would be similar to following redirects for an Agreed Upon Change to a Website where the mechanism of performing the validation may have considerations specific to the method.

 

Slaughter reframed Aaron's point as a two-phase process where you first derive the ADN and then second you follow the agreed-upon mechanism in each validation method to perform validation for that ADN. 

 

Aaron agreed with that interpretation. 

 

Wayne adjourned the meeting.

Reply all
Reply to author
Forward
0 new messages