Draft Minutes of Validation Subcommittee call January 22, 2026

[Scott Rea]

Meeting Date: 2026-01-22

 

Attendees: Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Adriano Santoni (Actalis S.p.A.), Arman Asemani (Apple), Ben Wilson (Mozilla), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dimitris Zacharopoulos (HARICA), Dustin Hollenback (Apple), Iñigo Barreira (Sectigo), Jacob Hoffman-Andrews (Let's Encrypt), Johnny Reading (GoDaddy), Luis Cervantes (SSL.com), Mahua Chaudhuri (Microsoft), Martijn Katerbarg (Sectigo), Michelle Coon (OATI), Nate Smith (GoDaddy), Nome Huang (TrustAsia), Ono Fumiaki (SECOM Trust Systems), Pedro Fuentes (OISTE Foundation), Pekka Lahtiharju (Telia Company), Rebecca Kelly (SSL.com), Rich Smith (DigiCert), Roman Fischer (SwissSign), Scott Rea (eMudhra), Sean Huang (TWCA), Tobias Josefowitz (Opera Software AS), Trevoli Ponds-White (Amazon), Wayne Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Wiktoria Więckowska (Asseco Data Systems SA (Certum))

 

Pre-Meeting Agenda:

1. Approval of January 8th meeting minutes
2. Discussion of ADN improvement ballot (https://github.com/cabforum/servercert/pull/627)
3. Project board review: https://github.com/orgs/cabforum/projects/1

Scott Rea assigned minute taker in absence of Andrea Holland and/or Janet Hines

Corey Bonnell read the Note Well

Adjusted Agenda at start of meeting: 

1. Approval of January 8th meeting minutes
2. Discussion of ADN improvement ballot (https://github.com/cabforum/servercert/pull/627)
3. Discussion on Reliable Data Sources

Approval of Prior Meeting Minutes:
- The 2026-01-08 Meeting of VSC minutes penned by Corey Bonnell were approved.

Current Meeting Minutes:
Aaron and Jacob discussed the updates they made to PR627 regarding CNAME lookups and pruning methods.

Corey pointed out a potential update required to method 22.

Rich raised concerns about clarity on additional FQDNs in the current ballot text, and what happens under various pruning scenarios where ADNs are also used, specifically around subdomains. There was some disagreement regarding the impact of the text of the updated validation processes and whether some potential security implications are being introduced where previously allowed inclusions would now be excluded by the current language. The concerns were mostly based around whether CDNs can validate subdomains without control over them.

Aaron indicated that the proposed changes aim to restrict validations to domains actually controlled by the issuer. It was decided that clear examples are necessary to clarify the distinction between requested FQDNs and additional FQDNs in guidelines.

The outcome is that Aaron and Jacob will draft an email to the validation working group list containing a number of examples and how those examples would work under the current BRs and the proposed ballot, to clarify how they perceive things will work, and to facilitate further discussion. Also, an implementation date will be added to the ballot to give CAs clear runway to work through any implementation challenges, and a suggestion of June 15th was made as adequate for review.

No time remained for Reliable Data Sources discussion.

 

Meeting Close

Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.

[Corey Bonnell]

These are the final minutes of the teleconference described in the subject of this message as prepared by Scott Rea. These minutes were approved at the Validation Subcommittee call on February 19, 2026.