Ballot SC002: Validating Certificates via CAA CONTACT

Ballot overview

• Ballot SC002, Validating Certificates via CAA CONTACT, proposed changes to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
• The ballot added new validation methods using CAA contact information published in DNS or legacy TXT records.
• It also added Appendix B: CAA Contact Tag, defining the contact property and its allowed URL schemes.

What the ballot would have changed

• Added validation methods for domain owner email and phone contact published in DNS.
• Added equivalent legacy validation methods using TXT records.
• Required the CA to use the email address or phone number found in the CAA Contact property record or the DNS TXT record, depending on the method.
• Limited the Random Value used in email validation responses to no more than 30 days from creation, unless the CPS specified a shorter period.
• Allowed the methods to validate multiple FQDNs in some cases and noted suitability for wildcard domain names.
• Defined the CAA contact property as a way for domain owners to publish contact information in DNS for certificate validation purposes.
• Stated that the CAA contact property SHOULD be used instead of TXT records where feasible.

Ballot outcome

• The voting period ended and the ballot failed.
• Voting by CAs met the approval threshold.
• Voting by browsers did not meet the approval threshold.
• The ballot states that SC2 fails.

Dates

• Discussion period: 2018-07-11 10:30am EST to 2018-07-19 11:00am EST
• Vote for approval period: 2018-07-19 11:00am EST to 2018-07-26 11:00am EST