Final Minutes of the 2025-03-27 F2F validation-sc meeting

[Corey Bonnell]

Here are the final minutes of the meeting as indicated in the subject and recorded by Michael Slaughter and approved at the 2025-05-01 validation-sc meeting.

 

Attendees: Aaron Poulsen (Amazon), Adrian Mueller (SwissSign), Alison Wang (TrustAsia), Andrea Holland (VikingCloud), Andreas Henschel (D-TRUST), Arnold Essing (Telekom Security), Ashish Dhiman (GlobalSign), Ben Wilson (Mozilla), Brianca Martin (Amazon), Brittany Randall (GoDaddy), Bruce Morton (Entrust), Chad Dandar (Cisco Systems), Chris Clements (Google), Chya-Hung Tsai (TWCA), Clemens Wanko (ACAB Council), Clint Wilson (Apple), Corey Bonnell (DigiCert), Dean Coclin (DigiCert), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Eric Hampshire (Cisco Systems), Eric Kramer (Sectigo), Hans Metsoja (Opera), Hao-Chun Li (TWCA), Hazhar Ismail (MSC Trustgate Sdn Bhd), Henry Birge-Lee (Henry Birge-Lee (Private person)), Hideki Kobayashi (KPMG Japan), Hisashi Kamo (SECOM Trust Systems), Hogeun Yoo (NAVER Cloud Trust Services), Inaba Atsushi (GlobalSign), Iñigo Barreira (Sectigo), Jaime Hablutzel (OISTE Foundation), Jeff Ward (Aprio), Jeremy Rowley (DigiCert), Ji Eun Seong (MOIS (Ministry of Interior and Safety) of the republic of Korea), Jinhwan Shin (Deloitte Korea), JP Hamilton (Cisco), Jun Okura (Cybertrust Japan), Karina Sirota Goodley (Microsoft), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Kate Xu (TrustAsia), Kenji Urushima (GlobalSign), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom), Llew Curran (GoDaddy), Luis Cervantes (SSL.com), Mahua Chaudhuri (Microsoft), Marco Schambach (IdenTrust), Martijn Katerbarg (Sectigo), Masaru Sakamoto (Cybertrust Japan), Masatoshi Shigaki (KPMG Japan), Masayuki Suzuki (KPMG Japan), Mats Rosberg (Keyfactor), Matthias Wiedenhorst (ACAB Council), Michael Slaughter (Amazon), Nate Smith (GoDaddy), Naveen Kumar (eMudhra), Nick France (Sectigo), Nicol So (CommScope), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Puja Sehgal (Microsoft), Rebecca Kelly (SSL.com), Renne Rodriguez (Apple), Rich Smith (DigiCert), Rollin Yu (TrustAsia), Russ Housley (Vigil Security), Ryan Dickson (Google), Sawada Takashi (SECOM), Sandy Balzer (SwissSign), Scott Rea (eMudhra), Sooyoung Eo (NAVER Cloud Trust Services), Stefan Kirch (Telekom Security), Stephen Davidson (DigiCert), Sven Rajala (Keyfactor), Tadahiko Ito (SECOM Trust Systems), Thomas Zermeno (SSL.com), Tim Callan (Sectigo), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Vinay Kumar (OATI), Wayne Thayer (Fastly), Xiu Lei (GDCA), Yamian Quintero (Microsoft), Yannick Thomassier (Certinomis), Zurina Zolkaffly (MSC Trustgate)

 

SC-82 redux status update:

               No discussion outside the presentation.

 

DNSSEC Discussion: 

• Dimitris asked about converting a SHOULD to a MAY and recommended adding references to other RFCs. 

• Henry suggested that doing DNSSEC at the remote perspectives does not provide a significant benefit

• Corey - This ballot needs an effective date so that subscribers can be made aware of this change and have a a reasonable time frame to correct misconfigurations.

• Wayne - This ballot feels like it's ready to move forward and that it's more important than the CA parameters ballot. and proposed an effective date of 6 months in the fall of 2025 would be a reasonble effective date. 

• Trev commented that we should make sure that applicants that have DNSSEC enabled have it correctly enabled. 

• Corey - One thing to consider is analysis with RFC 6840 and compliance by various DNS resolvers. 

• Henry - The only DNS resolver that didn't mention that RFC 6840 was Microsoft's. Henry thinks it's best to just reference the new RFCs more explicitly. 

• Dimitris - If a CA is using the same resolver for CAA and DCV then the change can be made at a single place. If the same resolver is being used then this should be simple. 

• Henry: DNS INVALID state normally gets propagated back to the client as a SERVFAIL which cannot fail OPEN and must fail closed. 

• Corey - Does any CA want to share implementation experience? 

• Nick - Only thing I will say is that customers do not implement DNSSEC correctly. Customers need time to be prepared and have the right remediation approaches.

• Clint offered propose the ballot or serve as an endorser. Wayne (Fastly) and Dimitris (Harica) and Ryan (Chrome) offered to endorse. 

• Action Item: Clint to create SC-085 ballot