Final minutes of the 2025-07-10 meeting of the validation-sc

42 views
Skip to first unread message

Corey Bonnell

unread,
Jul 31, 2025, 7:58:46 AMJul 31
to valid...@groups.cabforum.org

These are the final minutes of the meeting indicated in the subject, as captured by Corey Bonnell and approved at the 2025-07-24 meeting of the validation-sc.

 

# Meeting

 

2025-07-10 Validation sub-committee

Minute-taker: Corey Bonnell

 

# Attendees

 

Ben Wilson (Mozilla), Chris Clements (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Doug Beattie (GlobalSign), Henry Birge-Lee (Henry Birge-Lee (Private person)), Jaime Hablutzel (OISTE Foundation), Johnny Reading (GoDaddy), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Kate Xu (TrustAsia), Li-Chun Chen (Chunghwa Telecom), Luis Cervantes (SSL.com), Mahua Chaudhuri (Microsoft), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Pedro Fuentes (OISTE Foundation), Rollin Yu (TrustAsia), Roman Fischer (SwissSign), Ryan Dickson (Google), Scott Rea (eMudhra), Sven Rajala (Keyfactor), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)

 

# Minutes

 

Corey Bonnell read the Note-well.

 

## SC-88

 

Doug Beattie raised a few questions on the Github PR (https://github.com/slghtr-says/servercert/pull/3/files). Doug said the first question was about supporting this new method in ACME. Would the ACME server check for persistant records automatically upon receiving a new order, or would it wait until validation is requested? If the server checks automatically, then that might be slow due to the number of DNS queries required.

 

Henry Birge-Lee said that the second option of waiting until validation time would require a new validation method, which would entail changes in ACME servers and clients. Corey mentioned that the new method can be done with dns-01 and automatic hill-climibing, but it would be cleaner to have a new ACME method. Doug said that the ACME changes aren't blocking for the ballot but it would be valuable to have this worked on separately.

 

Henry highlighted that part of the question on Github touched on MPIC and said that OpenMPIC currently does not implement automatic hill-climbing; the CA would have to implement that manually using separate calls to OpenMPIC for each domain.

 

Doug's second question was about validation reuse timelines. Doug proposed adding a new parameter in the TXT record that specifies for how long a validation is valid. Ryan Dickson said that doing so would introduce complexity and that the proposed use of TTL mirrors how CAA is done. Ryan said that the "persistUntil" parameter also allows a domain owner to limit the validity of the TXT record itself, to align with longer-term operational considerations (such as contract expiry). Doug said that was concerned that the combination of validition reuse period, TTL, and "persistUntil" is complex. Corey suggested that adding examples that state whether a particular validation is valid given certain reuse period, TTL, and persistUntil values would be useful to clarify the different moving parts.

 

## Validation Summit

 

Corey said that an email was sent to the list with the two survey questions but there were no replies. Ryan said that Chrome considered sending out a similar survey but decided against it since it would not change any decisions being made about updating the allowed validation methods. He said that a similar effect in this group would likely not be useful. Wayne Thayer agreed with Ryan that the survey would likely not be useful and instead suggested that we measure methods based on their conceptual security and agility.

 

Chris Clements said that CCADB has information on the methods that CAs report as in use and offered to circulate a report capturing this information.

 

Doug asked Ryan and Chris about their plans for upcoming method deprecations, such as for email. Ryan said that they'd consider deprecation of methods cannot be done quickly, such as using postal mail. Ryan then shared a link (https://docs.google.com/document/d/1B7ZwGa-lZRlSJFhzbb5PgXbHAnVFH4-7mKPcXAMmaCo/edit?tab=t.0) to a proposal that sunsets several methods that are deemed to not be automatable or have other undesirable aspects. Ryan said this proposal can be a starting point for discussion and not is yet formal. He also said that he sees SC-88 as valuable as it provides a new, highly automatable method that Subscribers can migrate to before deprecating methods.

 

Ryan asked if Henry could present his findings regarding validation methods while implementing OpenMPIC. Henry said that he would need approximately 20 minutes for that presentation. It was agreed to have that presentation at the next meeting.

 

There was no other business. Meeting adjourned.

 

Reply all
Reply to author
Forward
0 new messages