Final Minutes: Validation Subcommittee - June 11, 2026

66 views
Skip to first unread message

Stephen Davidson

unread,
Jul 3, 2026, 4:10:41 PMJul 3
to valid...@groups.cabforum.org

Meeting: 2026-06-11 CA/Browser Forum Validation Subcommittee
Host: Corey Bonnell (Digicert)
Minute Taker: Dimitris Zacharopoulos (HARICA)


Attendees:

Aaron Gable (Let's Encrypt), Adam Fiock (SSL.com), Adriano Santoni (Actalis S.p.A.), Andrea Holland (IdenTrust), Ben Wilson (Mozilla), Corey Bonnell (DigiCert), Dustin Hollenback (Apple), Georgy Sebastian (Amazon), Jaime Hablutzel (OISTE Foundation), Janet Hines (SSL.com), John Mason (Microsoft), Kiran Tummala (Apple), Li-Chun Chen (Chunghwa Telecom), Michael Slaughter (Amazon), Michelle Coon (OATI), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Pedro Fuentes (OISTE Foundation), Rich Smith (DigiCert), Rob White (GoDaddy), Rollin Yu (TrustAsia), Roman Fischer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Shiloh Heurich (Fastly), Stephen Davidson (DigiCert), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wiktoria Więckowska (Asseco Data Systems SA (Certum)).

Start of the meeting: 

Corey read the Note Well.

Agenda:

  1. Administrivia
  2. DNSSEC clarification ballot (https://url.avanan.click/v2/r01/___https://github.com/cabforum/servercert/pull/667___.YXAzOmRpZ2ljZXJ0OmE6bzo0YmM2YjM0OTFiZjRlODQ5NDJiMWFhMzFiNTc1OGUzYjo3OjM4MGU6N2NlN2RiMzA2ZGYxN2NjYzRkYWM3ZDE5NGVkZjllMjUyODUzYWUyM2U4NzhhNmRiYmU3Zjc2YTViODJmNjc1Zjp0OlQ6Rg)
  3. EV Domain Ownership validation ballot (https://url.avanan.click/v2/r01/___https://github.com/cabforum/servercert/pull/661___.YXAzOmRpZ2ljZXJ0OmE6bzo0YmM2YjM0OTFiZjRlODQ5NDJiMWFhMzFiNTc1OGUzYjo3OmM3OTM6ODFlZjVhMDQ3ZGQ0MWM4NGVmNDNjMjk2ZDI5ZTQ5OTFiY2Y3N2IyODk0YWJjODM3MTRmNDY4MjY0YTgwNjU5NDp0OlQ6Rg)
  4. Discussion and review of verification of data sources ballot


1. Administrativia

  • Meeting minutes for March 10, 2026 (F2F#67) taken by Trevoli Ponds-White (Amazon) were approved without objection.
  • Meeting minutes for May 28, 2026 taken by Aaron Gable (Let's Encrypt) were approved without objection.

Corey announced that he is stepping away from his role at Digicert and will not be serving as the Chair of the Validation Subcommittee. Stephen Davidson will be taking over as chair. Dustin asked if there is an official process to follow when a Chair leaves in the middle of the term, whether the chair needs to be replaced by a person from the same company, or if there is any other process that the subcommittee should be aware of.

Corey responded that WG Chairs are elected every two years but subcommittees don't undergo the same procedures in terms of elections.

[Note by Minute-taker outside the discussion: The Validation Subcommittee Charter is available at https://cabforum.org/2018/10/03/ballot-sc009-establish-the-validation-subcommittee-of-the-scwg/]


2. DNSSEC clarification ballot
Referencehttps://url.avanan.click/v2/r01/___https://github.com/cabforum/servercert/pull/667___.YXAzOmRpZ2ljZXJ0OmE6bzo0YmM2YjM0OTFiZjRlODQ5NDJiMWFhMzFiNTc1OGUzYjo3OmU4YjM6MzM1MzZmMGFkZDE0OWRmZWI4NzUwYmRiNTQ3ODY4NTFkMTE4M2E1MDZmYjI2NGI4OThiNmYwMTBjOTY5MzY5Yjp0OlQ6Rg


Rich is waiting for SC98 to complete the IPR review process and then he will make a new draft of the DNSSEC ballot because things will shift from section 3 to section 4. No plans to change the wording, just to fix the structure in light of SC98. He is still looking for endorsers.

Trev is willing to endorse the ballot. She said there are some comments on the PR from the ATS team.

3. EV Domain Ownership validation ballot
Reference
https://url.avanan.click/v2/r01/___https://github.com/cabforum/servercert/pull/661___.YXAzOmRpZ2ljZXJ0OmE6bzo0YmM2YjM0OTFiZjRlODQ5NDJiMWFhMzFiNTc1OGUzYjo3OjQ0MDU6OTkwZDM3M2I4ZmY1OTIzNDcyOTMzM2YzZTg0YjA5Y2NhYzBmYmZmZWEwYTUyNzU2MGRjY2ZjNDkxNWJlODAyOTp0OlQ6Rg


Dustin explained the main parts of the ballot. The problem is that the current EVGs require WHOIS checks but another reading is to skip the entire section related to that. There are also "hardcoded" validity periods which should be pointing to the TLS BRs. The ballot cleans up several issues and adds references to the TLS BRs for validity and data re-use periods for Domain Validation.

Corey shared his screen and Dustin went through all the proposed changes. Corey suggested the removal of the entire 3.2.2.7 section and have a section below to normatively reference the TLS BRs in terms of domain validation. Dustin said that it would be a ripple effect and it would probably create another problem. He is hesitant to make more changes and prefers to focus on the core problems. There's definitely massive cleanup needed in this document. He is not opposed to more changes but the current ballot is simple and prefers to keep it that way.

Dustin mentioned that if the EV is setting a "higher bar" than the BRs, in terms of validity and data reuse, this is no longer the case because they match.

Roman and Andrea Holland consider the second approach cleaner and better. Dustin said that Martijn has contributed a lot to this ballot fixing several issues from the previous version.

Dustin considers starting the discussion period since there are no concerns. 


4. Verification of data sources ballot


Scott doesn't have a written update. He provided a summary of the current 3.2.2.7 recommended criteria. Is this list of criteria sufficient or are there others we should consider? Maybe it's 3 out of the 5 that are sufficient or all of them have to be considered but there is currently no guidance on how to calibrate the criteria. He will prepare a set of questions and send that out to the mailing list. The group can iterate from there.

5. Ad-hoc topic added to the agenda by Aaron Gable: Discussion about ballot SC101
Ballot is in the discussion period, some clarifications were asked, more substantive feedback came back. However there is some discussion on GitHub that is more substantive, especially around section 3.2.2.5.3, the reverse address lookup. Based on that feedback, Aaron will produce a v2 that includes an effective date for section 3.2.2.5.3 and also address the minor clarifications requested on the mailing list.

Aaron explained the different interpretations of using ADNs in reverse address lookup and how it can be used afterwards with the DNS change method (3.2.2.4.7). Section 3.2.2.5.3 in the current BRs point to FQDN, not ADN, which precludes the use of 3.2.2.4.7 which only points to ADN. He intends to fix that in the upcoming v2 version of the ballot. Rich mentioned that the ADN has been used for all methods and he doesn't see any prohibition of using 3.2.2.4.7 after applying 3.2.2.5.3.

Aaron talked about effective dates and will use the same effective date. The effective date will be updated to November of 2026. Aaron said that the Chairs could change that table without a ballot.

[Note by Minute-taker/SCWG Chair outside the discussion: Actually, according to Bylaws 2.4 (8) if the ballot makes a change to section 1.2.2 (the table with Relevant Dates), the Chair of Vice-Chair is not allowed to make changes to that area.]

Adjournment
Corey Bonnell adjourned the meeting and thanked the group for the great collaboration.

Reply all
Reply to author
Forward
0 new messages