Final Minutes for the 2025-07-24 Validation Subcommittee Teleconference
Corey Bonnell
These are the final minutes of the meeting indicated in the subject, as captured by Wayne Thayer and approved at the validation-sc teleconference on August 7th.
# Meeting
2025-07-24 Validation sub-committee
Minute-taker: Wayne Thayer
# Attendees
Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Adriano Santoni (Actalis S.p.A.), Bruce Morton (Entrust), Chris Clements (Google), Corey Rasmussen (OATI), Doug Beattie (GlobalSign), Henry Birge-Lee (Henry Birge-Lee (Private person)), Jaime Hablutzel (OISTE Foundation), Janet Hines (VikingCloud), Johnny Reading (GoDaddy), Kateryna Aleksieieva (Asseco Data Systems SA (Certum)), Li-Chun Chen (Chunghwa Telecom), Luis Cervantes (SSL.com), Michael Slaughter (Amazon), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Pedro Fuentes (OISTE Foundation), Rebecca Kelly (SSL.com), Ryan Dickson (Google), Scott Rea (eMudhra), Sean Huang (TWCA), Shiloh Heurich (Fastly), Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority)
# Minutes
Wayne Thayer read the Note-well.
## Approval of Minutes
Minutes from the 2025-07-10 meeting were approved.
## SC-88
Michael Slaughter presented the PR at https://github.com/slghtr-says/servercert/pull/3/files. A takeaway from the last call was to add explicit examples to the ballot text. Michael said that he added two tables of examples and requested feedback in the PR.
Michael said that his next steps are to move the PR to the CAB Forum servercert repository and prepare the ballot for the discussion period.
Ryan Dickson expressed gratitude for Michael’s work.
Aaron Gable said that Henry Birge-Lee presented this material at the IEFT 123 ACME WG meeting and it was well received, with the RFC draft likely to proceed quickly.
Henry said that Shiloh Heurich will be collaborating on the RFC.
## Presentation on OpenMPIC implementation experience
Henry Birge-Lee screen-shared and presented the attached slides. The slides were also sent to the validation mailing list.
On the slide titled “Vulnerability 1: IP reassignment”, Aaron said that this is why Let’s Encrypt has chosen to only issue short-lived IP address certs. ACME would not allow step 7 because the domain name has changed. The BRs have a looser definition of validation documents that can be reused than does ACME.
After the presentation, Trevoli Ponds-White suggested that we disallow IP address certificates. Henry clarified that the specific action he is proposing is to forbid use of the two “crossover” validation methods.
Ryan said that the two “crossover” methods are not currently part of Chrome’s ballot that forbids use of phone and email based methods, but they will consider extending the ballot to include these two “crossover” methods.
Henry expressed curiosity about CA’s need for these two methods. Wayne mentioned that there is now a CCADB report showing which CAs support each method, and he said that the best way to find out how important these are is to proceed with a ballot to ban them.
Trev clarified that she would like to know how prevalent IP addresses are in certificates? Ryan said that Chrome has periodically gathered this data and found very little use, with a few CAs dominating issuance.
Henry clarified that the scope of his proposal is only 2 methods, not a ban on IP addresses in certificates.
Ryan said that close to 140K certificates were found in Chrome’s April survey containing IP addresses, which is 0.01% of all certificates that were sampled.
There was no other business. Meeting adjourned
--
You received this message because you are subscribed to the Google Groups "Management (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to management+...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/management/CAPh8bk84hPoR%2BW_wpPW%3DbPxptYooVKJbzMob7be2uz6%3DQdn0HQ%40mail.gmail.com.