Final Minutes of the 2025-08-07 CA/B Forum Validation Subcommittee Teleconference

60 views
Skip to first unread message

Corey Bonnell

unread,
Sep 4, 2025, 1:18:42 PMSep 4
to valid...@groups.cabforum.org

These are the final minutes of the meeting indicated in the subject, as captured by Greg Tomko and approved at the validation-sc teleconference on September 4th.

 

Meeting Facilitator: Corey Bonnell

 

Minute Taker: Greg Tomko

 

Attendees 

Aaron Poulsen (Amazon), Adrian Mueller (SwissSign), Ben Wilson (Mozilla), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Gregory Tomko (GlobalSign), Gurleen Grewal (Google), Henry Birge-Lee (Henry Birge-Lee (Private person)), Iñigo Barreira (Sectigo), Johnny Reading (GoDaddy), Li-Chun Chen (Chunghwa Telecom), Luis Cervantes (SSL.com), Mahua Chaudhuri (Microsoft), Michael Slaughter (Amazon), Michelle Coon (OATI), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Pekka Lahtiharju (Telia Company), Rebecca Kelly (SSL.com), Rollin Yu (TrustAsia), Ryan Dickson (Google), Sean Huang (TWCA), Shiloh Heurich (Fastly), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

 

 

Routine Items

Corey read the Note Well.

 

The following Validation Subcommittee Meeting Minutes were approved without objection:

  • 2025.06.12 (Minute Taker: Martijn Katerbarg)
  • 2025.06.26 (Minute Taker: Aaron Poulsen)
  • 2025.07.24 (Minute Taker: Wayne Thayer)

 

Addition to Agenda: Proposed cancelation of next session on August 21st.

  • Approved without objection. Next meeting will be on September 04, 2025.

 

 

SC-088 Status

Michael Slaughter has posted a pull request with proposed updates to SC-088 (https://github.com/cabforum/servercert/pull/608/files). Discussion on the call between Michael Slaughter, Corey Bonnell, and Ryan Dickson on when to open discussion vs. voting period given the August recess.  

 

Conclusion: Discussion Period can start immediately; voting will open in September after August recess.

 

 

High Risk Checks

Amazon has taken on proposing and circulating a ballot on clarifying / potentially removing the requirement for high risk checks.

 

 

TLD / Registry-Controlled Domain Validation

Corey presented on section 3.2.2.6 of the TLS BRs (https://github.com/cabforum/servercert/blob/main/docs/BR.md#3226-wildcard-domain-validation), highlighting an issue where CAs MUST determine if the FQDN for validating a wildcard domain is registry controlled or a public suffix, however what qualifies as "registry-controlled" is not standardized and what exactly is meant by proving control of an entire namespace is not clearly defined, resulting in a lot of leeway. The following questions were posed to the subcommittee:

  1. Do we want to mandate use of the PSL (Public Suffix List)? (Prior answer was No, including from Ryan Sleevi, a maintainer of the PSL.)
  1. What is an appropriate way for an applicant to demonstrate control over an entire domain space? (Prior discussion suggested perhaps only method 7, DNS-Based validation would be allowed, but this was never codified.)

 

Discussion Summary:

  • Previous rejection of mandating use of the PSL was potentially due to it not being as strong of a method as DNS. 
  • The original scope of 3.2.2.6 was likely targeting Branded gTLDs covered by ICANN Specification 13 (e.g., .toyota), but 3.2.2.6 is not clearly restricted to this.
    • Michael Slaughter noted the BR definition for "Base Domain" does include such a callout: "...For FQDNs where the right-most Domain Name node is a gTLD having ICANN Specification 13 in its registry agreement, the gTLD itself may be used as the Base Domain Name."
  • Henry Birge-Lee questioned whether 3.2.2.6 would permit, for example, issuance of a *.com certificate to Verisign.
    • Ben Wilson notes 3.2.2.6 doesn't mandate or restrict the validation methods to those defined in 3.2.2.4 and the phrase "an appropriate way" at the end of 3.2.2.6 is not clearly defined and may enable a circumstance where issuance to *.com is permitted. 

 

Topic still requires further discussion and the following questions remain:

  1. Should the scope of 3.2.2.6 be limited to the gTLDs covered by ICANN Specification 13 or is it appropriate to also include ccTLDs or other gTLDs not covered by Specification 13?
  1. For the TLDs that ultimately fall under 3.2.2.6, which validation methods are permitted / required to prove control of an entire domain space? 

 

Corey Bonnell opened a GitHub issue to facilitate further discussion: https://github.com/cabforum/servercert/issues/609)

 

 

Validation Summit Next Steps

Corey referenced Henry's presentation "Validation Method Considerations for Validation Summit" from the July 24th Validation Subcommittee meeting, noting the concerns surrounding "crossover domain validation methods" using reverse DNS.

 

Ryan Dickson stated that Chrome fully intends to move forward the pre-ballot that was shared a few weeks ago. Noted that the reduction in allowed validation methods might obviate the need for the Validation Summit. Ryan agreed to walk through the ballot at the next Validation Subcommittee meeting on September 4, 2025. 

 

 

Any Other Business

No other business; the next meeting is scheduled for 2025.09.04. Meeting adjourned.

--
You received this message because you are subscribed to the Google Groups "Management (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to management+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/management/TY1PPF831F2FA50161E843A14ECEDAE46DF8239A%40TY1PPF831F2FA50.apcprd03.prod.outlook.com.

Reply all
Reply to author
Forward
0 new messages