Final minutes from Validation Subcommittee 2025-11-13
Corey Bonnell
Below are the final minutes of the meeting indicated in the subject, as captured by Thomas Zermeno and approved at the 2025-12-11 meeting of the validation-sc.
# Validation Subcommittee Working Group - Meeting Minutes
**Date: 2025-11-13**
## 1. Note Well
The Note Well was read by Corey Bonnell; who confirmed that all participants were
members of the subcommittee.
### Previous Minutes
The minutes from 2025-10-30 are still being prepared by Michael Slaughter.
## 2. Review of Agenda
1. Clean up ADN: https://github.com/cabforum/servercert/pull/627
2. Project board review: https://github.com/orgs/cabforum/projects/1
No new topics introduced.
## 3. Discussion Topics
1. Jacob Hoffman-Andrews shared a slideshow on the ballot.
* Authorization Domain Name defined and specified to be determined prior to the validation process
* Gave a new proposed definition of ADN, which is much more succinct than the current definition
* "The FQDN used to perform validation of domain authorization for a given FQDN or Wildcard Domain Name."
* Suggests that CNAME chaining should not be allowed
* Discussed algorithmic methods of identifying ADN; felt that 'Prune or CNAME' was best
Rich Smith had some questions about the restriction of CNAME following. The draft seems to restrict the following of CNAMES compared to what is in the guidelines. Is that by design?
Jacob confirmed that current specifications follow the "CNAME then prune" method; all of the validation methods that use CNAME are going to be deprecated, so he made the restriction to spark discussion.
Rich Smith felt that the restriction may add roadblocks to the validation process. However, he agreed that the current text is poorly written. We should be careful not to restrict where there is not a clear security reason to restrict.
Aaron Gable argues that 'Prune then CNAME' does not prove control over the domain name. That behaviour should be restricted as quickly as possible.
Dmitris Zacharopoulos described a scenario for 'CNAME then prune' and its importance.
Jacob reiterated that RFC 1034 does not allow for CNAME chaining, so his interpretation of the current definition is that chaining (CNAME -> CNAME -> CNAME ..etc.) is not allowed.
Aaron demonstrated that the current language is broken and should not be used to determine the new definition of ADN. Instead, we should carve out what we feel is accurate.
This sparked much discussion on control and CNAMEs, including the application of CNAME following within other validation methods, intent of delegation and the convenience of domain owners who had multiple domains to validate.
There were 2 core pieces of feedback the first being that 'CNAME then prune' should be allowed, and the second that there can be a restriction against following CNAMES for ADN validation that the method cannot be used for wildcards or reused for subdomain validations.
Everyone is urged to review the github PR and continue the discussion in 2 weeks.
## 4. Any Other Business
*not discussed because of time constraints*
## 5. Adjurn
## Attendees
- Aaron Gable (ISRG)
- Aaron Poulsen (Amazon Trust Services)
- Adriano Santoni (Actalis)
- Ben Wilson (Mozilla)
- Corey Bonnell (DigiCert)
- Dimitris Zacharopoulos (HARICA)
- Inigo Barreira (Sectigo)
- Jacob Hoffman-Andrews (Let's Encrypt)
- Johnny Reading (GoDaddy)
- Kate Xu (TrustAsia)
- Kateryna Aleksieieva (Certum by Asseco)
- Mahua Chaudhuri (Microsoft)
- Michael Slaughter (Amazon)
- Michelle Coon (OATI)
- Nargis Mannan (Viking Cloud)
- Nate Smith (GoDaddy)
- Nome Huang (TrustAsia)
- ONO Fumiaki(SECOM Trust Systems)
- Pekka Lahtiharju (Telia)
- Rebecca Kelley (SSL.com)
- Rich Smith (DigiCert)
- Rollin Yu (TrustAsia)
- Scott Rea (eMudhra)
- Sean Huang (TWCA)
- Shiloh Heurich (Fastly)
- Stephen Davidson (DigiCert)
- Steven Deitte (GoDaddy)
- Tobias Josefowitz (Opera)
- Wayne Thayer (Fastly)
*Minutes by Thomas Zermeno (SSL.com) from recording*