Final Validation Subcommittee Meeting Minutes - 2026-04-30

[Corey Bonnell]

These are the final minutes of the teleconference described in the subject of this message as prepared by Ben Wilson. These minutes were approved at the Validation Subcommittee call on May 14th, 2026.

 

Minutes of the CA/Browser Forum Validation Subcommittee

April 30, 2026

1. Opening and Administrative Matters

Corey Bonnell opened the meeting.

Ben Wilson took minutes.

Corey read the Note Well.

Attendance:  Aaron Poulsen - (SSL.com), Adam Flock - (SSL.com), Adriano Santoni - (Actalis S.p.A.), Ben Wilson - (Mozilla), Chris Clements - (Google), Corey Bonnell - (DigiCert), Corey Rasmussen - (OATI), Dustin Hollenback - (Apple), Eric Kramer - (Sectigo), Gregory Tomko - (GlobalSign), Gurleen Grewal - (Google), Iñigo Barreira - (Sectigo), Kateryna Aleksieieva - (Asseco Data Systems SA / Certum), Kiran Tummala - (Apple), Li-Chun Chen - (Chunghwa Telecom), Luis Cervantes - (SSL.com), Luis Osses - (Amazon), Mahua Chaudhuri - (Microsoft), Martijn Katerbarg - (Sectigo), Michael Slaughter - (Amazon), Michelle Coon - (OATI), Nate Smith - (GoDaddy), Ono Fumiaki - (SECOM Trust Systems), Pedro Fuentes - (OISTE Foundation), Rebecca Kelly - (SSL.com), Rich Smith - (DigiCert), Scott Rea - (eMudhra), Sean Huang - (TWCA), Shiloh Heurich - (Fastly), Tobias Josefowitz - (Opera Software AS), Trevoli Ponds-White - (Amazon), Wayne Thayer - (Fastly), Wendy Brown - (US Federal PKI Management Authority)

Minutes from the face-to-face meeting and the previous Validation Subcommittee meeting remain pending and are expected to be reviewed for approval at the next meeting.

2. Agenda Review

The proposed agenda included:

1. SC-101: Authorization Domain Names (ADN) processing ballot
2. SC-102: EV Guidelines domain ownership improvement ballot
3. SC-100: DNSSEC clarification ballot
4. SC-098: CAA parameters ballot

No additional agenda items were raised.

3. SC-101: ADN Processing Ballot (GitHub PR 627)

Aaron Gable was not present, and no email had yet been sent to the list summarizing the expected changes. There was no discussion, and the item was deferred.

4. SC-100: DNSSEC Clarification Ballot

Rich Smith reported that the DNSSEC clarification ballot has been drafted and that a ballot number has been reserved on the wiki. He has not yet posted the ballot as a GitHub pull request, but expects to do so in the next few days.

5. SC-102: EV Guidelines Domain Ownership Improvement Ballot  (GitHubPR 661)

Dustin presented the EV Guidelines domain ownership improvement ballot, currently reflected in GitHub PR 661.

He explained that the work began with concern over EVG language requiring WHOIS checks when reusing domain name validation information. WHOIS is unreliable, and the existing language creates ambiguity because some CAs read the EV Guidelines as requiring use of the stricter EVG reuse provisions, while others read the language as allowing those provisions to be bypassed in favor of the general age-of-data provisions.

Dustin described the issue as a loophole or ambiguity in EVG section 3.2.2.14. The question for the group was whether EV domain validation reuse should continue to impose stricter requirements than the TLS Baseline Requirements, or whether the EV Guidelines should simply defer to the TLS BRs for domain validation reuse.

Rich Smith noted that the EV Guidelines predate the TLS Baseline Requirements. Many original EVG provisions addressed topics that were later covered more comprehensively and more strictly in the TLS BRs. In his view, the stricter purpose of EV has primarily related to organization validation rather than domain validation, and domain validation reuse could reasonably defer to the TLS BRs.

Ben Wilson expressed concern that EV certificates involve both organization identity and domain control, and that the Guidelines should not lose sight of the binding between the organization and the domain. He noted that if EV requirements are eventually merged into the TLS BRs, care should be taken not to lose the processes that make EV certificates distinct.

Martijn Katerbarg noted that WHOIS has never been a secure way to establish ownership because registrants can enter arbitrary information.

The group discussed whether EVG sections 3.2.2.14.1 and 3.2.2.14.2 continue to provide value, whether they should be narrowed, or whether some provisions should be moved or replaced with references to the TLS BRs. There was concern that opening broader questions about reuse of EV-specific validation data, such as legal existence, principal individual, or physical address validation, could significantly expand the scope of the ballot.

Corey and Ben suggested separating the immediate domain validation issue from broader EV validation reuse questions.

Dustin proposed preparing an alternative draft: one version would preserve the stricter interpretation and close the perceived loophole, while the other would simplify the language by deferring domain validation reuse to the TLS BRs. He will circulate the alternative draft to the Validation Subcommittee list so members can compare both approaches before the next meeting.

6. SC-098:  CAA Parameters Ballot (GitHub PR 567)

Wayne provided an update on SC-098. He stated that he incorporated the items discussed at the prior meeting and additional comments from the pull request into version 2, which is now in the discussion period.

The changes include:

• Language addressing the parent-child relationship discussed at the prior meeting.
• Clarifications regarding applicability to ACME and non-ACME implementations.
• Revised language so that references to ACME do not imply strict conformance with every aspect of RFC 8555.
• Case-sensitivity language, generally requiring lowercase unless otherwise documented by the CA in its CPS.
• Replacement of the prior comparison between DNS-01 and Method 7 with a comparison between methods 18 and 19.

Wayne noted that the discussion period ends Sunday and that he hopes to move the ballot to voting early next week.

No further comments or questions were raised.

7. Adjournment

With no further business, Corey adjourned the meeting.