Final Minutes of the Validation Subcommittee Teleconference - 2025-10-02

[Corey Bonnell]

These are the final minutes for the meeting indicated in the subject, as captured by Aaron Gable and approved at the validation-sc meeting held on 2025-10-17.

 

# Minutes of the Validation Subcommittee meeting on 2025-10-02

## Attendees

Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Adriano Santoni (Actalis S.p.A.), Ben Wilson (Mozilla), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Apple), Enrico Entschew (D-TRUST), Gregory Tomko (GlobalSign), Gurleen Grewal (Google), Henry Birge-Lee (Henry Birge-Lee (Private person)), Iñigo Barreira (Sectigo), Joe Robinson (Microsoft), Li-Chun Chen (Chunghwa Telecom), Mahua Chaudhuri (Microsoft), Martijn Katerbarg (Sectigo), Michael Slaughter (Amazon), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Ono Fumiaki (SECOM Trust Systems), Rebecca Kelly (SSL.com), Rich Smith (DigiCert), Ryan Dickson (Google), Scott Rea (eMudhra), Sean Huang (TWCA), Shiloh Heurich (Fastly), Sven Rajala (Keyfactor), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

## Administrivia

* Notes taken by Aaron Gable  

* Note Well and Antitrust Statement read by Corey Bonnell  

* Roll call taken from Webex  

* Minutes from 2025-09-18 approved

## Ballot status of SC-088

* Michael Slaughter: Will enter voting period later today

## F2F Planning

* Corey: We have just under 1.5 hours on the schedule – what do we want to talk about?  

  * Opening suggestions: IP address validation method (see topic below)  

* Ryan Dickson: Maybe discuss Technically Constrained Subordinate CAs  

  * https://github.com/cabforum/servercert/issues/492  

  * Discuss why we still need this distinction, see if we can consolidate profiles  

* Corey: Would that be a topic for the larger ServerCert group?  

  * Ryan: Perhaps, although the profiles work started in this subcommittee  

  * Dimitris Zacharopoulos: The discussion will need to move to ServerCert, but could start here  

  * Wayne Thayer: Yeah, maybe more appropriate for ServerCert, but it’ll be the same group of people either way  

  * Corey: Sounds good, we’ll do this topic if we have time after other topics  

* Aaron Gable: We should maybe discuss how Section 3.2.2.4 handles “FQDN” versus “FQDN or Wildcard Domain Name”  

  * This has come up in the context of https://github.com/cabforum/servercert/pull/619, but should be a separate effort  

  * Corey: Can you file an issue? We can take it from there.  

  * Aaron: Done, filed https://github.com/cabforum/servercert/issues/621

* Corey: Alright, let’s move on with the agenda, and anything that spills over we’ll take to the F2F

## Persistent IP address validation method

* Gurleen Grewal: The draft PR is at https://github.com/geegeea/servercert/pull/1

  * The idea is to do a one-for-one swap, removing “Reverse Address Lookup” (3.2.2.5.3) and replacing it with a new “DNS TXT Record with Persistent Value in the Reverse Namespace”  

  * The proposed method is nearly identical to the new SC-088v3 “DNS TXT Record with Persistent Value” method; it normatively references it in fact  

  * The sunset date would be March 15, 2027.  

* Gurleen: The proposed method does not allow validation of whole blocks of IPs; that could be addressed in a follow-up ballot  

  * Henry Birge-Lee: I agree that validation of IP blocks should remain separate  

* Clint Wilson: Should the underscore-prefixed label include the string “ip” to make its purpose clear?  

  * Gurleen: Yes, that makes sense  

* Gurleen: We’re also not addressing CAA for IPs yet  

  * Aaron: Yeah, we’ll need to keep this in mind, but it doesn’t need to be addressed now  

  * Aaron: Having CAA for IPs would be a meaningful improvement to the security of the WebPKI  

  * Aaron: But the practical reality is that CAA tree-climbing for ip6.arpa with MPIC results in hundreds of queries to the arpa authoritative nameservers

  * Henry: And in fact CAA for IPs gets even messier, because IP delegations don’t always fall on byte boundaries like the .arpa namespace subdivides things  

  * Corey: Antonios Chariton wrote an (expired) Internet Draft on how CAA for IPs might work several years ago: https://datatracker.ietf.org/doc/draft-chariton-ipcaa/

  * Corey: We’ll probably want an IETF document, and then reference that in the BRs  

* Gurleen: So now we’re looking for endorsers  

  * Tobias Josefowitz: I would be happy to endorse  

  * Gurleen: Thank you, anyone else, please send me an email

## DNSSEC checks for email-based DCV methods

* Corey Bonnell: There’s been some concern that checking DNSSEC for MX records might be hard in some email stacks  

* Ryan Dickson: This concern was raised by Roman Fischer in https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/g4G7WF6uCHo/m/gX2Ek4S-BAAJ

* Tobias Josefowitz: This raises concerns about whether the mail delivery system is a delegated third party, if you don’t have control over how it enforces and reports DNSSEC  

* Aaron Gable: It’s possible that Roman’s concerns arise even from a wholly-internal self-hosted mail subsystem that just has a bad API for reporting DNSSEC failures  

* Henry Birge-Lee: Is part of Roman’s concern about DNSSEC logging requirements?  

* Tobias: Rather than pushing us to reconsider DNSSEC for email validation, this should instead push us to reconsider email validation as a whole  

* Wayne Thayer: Or maybe just consider a logging carve-out  

* Corey: And we do have https://github.com/cabforum/servercert/pull/616 (SC-090) which will sunset all the email-based methods anyway  

* Consensus: we should wait to hear more detail from Roman

## Meeting adjourned

* Next meeting will be at the Warsaw F2F

--
You received this message because you are subscribed to the Google Groups "Management (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to management+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/management/CAEmnErc%2BJQO5W6aK-iiwSsFrXZc-PeCQmmDpZXnVC4GPavEd-Q%40mail.gmail.com.