← CABF Ballot Browser
SC-0101v2 passed

Ballot SC0101v2: Clarify Authorization Domain Names

Server Certificate Working Group

Key dates

Effective date
15 Nov 2026 4 months from now
Voting opened
23 Jun 2026 2 weeks ago
Voting closed
30 Jun 2026 1 week ago
Discussion opened
12 Jun 2026 1 month ago
Discussion closed
19 Jun 2026 3 weeks ago

Resources

Affected document sections
Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates § 3.2.2.4 Validation of Domain Authorization or Control Updates the section to require a CA process for choosing the Authorization Domain Name based on the selected validation method, including the ordering and constraints for CNAME and prune steps and a table of method suitability. Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates § 3.2.2.4 (definitions and related subsections within the section) Changes wording throughout the section to validate control over the selected ADN rather than the applied-for FQDN, and updates method descriptions accordingly. Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates § Definitions: Authorization Domain Name Replaces the definition to describe Authorization Domain Name as the FQDN used to perform validation of domain authorization or control for a given FQDN or Wildcard Domain Name. Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates § Definitions: Base Domain Name Updates the Base Domain Name definition wording while keeping the described concept of the portion of an FQDN left of a registry-controlled or public suffix plus the registry-controlled or public suffix. Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates § Definitions: Domain Contact Removes the prior Domain Contact definition text from the definitions section.

AI Summary

Generated 2026-07-12 04:00 UTC

Result and scope

  • Ballot SC0101v2 Clarify Authorization Domain Names was adopted by the Forum (Bylaw 2.3(6) and related quorum/participation requirements were MET).
  • The ballot modifies Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates, focusing on how CAs derive and validate Authorization Domain Names (ADNs).

Key changes described in the ballot

  • In Section 3.2.2.4, the ballot explicitly describes the algorithm a CA may use to derive an Authorization Domain Name from an applied-for FQDN.
  • The ballot simplifies the definition of Authorization Domain Name to be merely descriptive and updates validation methods to describe how they validate control of the selected ADN.
  • The ballot collapses previous statements about validation method suitability for wildcard and ending-in-the-same-suffix validation into a table in Section 3.2.2.4.
  • As knock-on effects, the ballot simplifies the definitions of Base Domain Name and Domain Contact.

Compliance timing described in the ballot

  • The ballot includes a provision allowing CAs to comply with Section 3.2.2.4 of the previous version of the Baseline Requirements until November 15, 2026.

Security and rationale described in the ballot

  • The ballot states the existing definition of Authorization Domain Name has ambiguity about whether parts of the definition can be performed exclusively, in sequence, repeatedly, or otherwise.
  • The ballot states that under some interpretations, it allows issuance for names over which the applicant has not demonstrated control.
  • The ballot resolves the issue by more strictly describing the acceptable ADN derivation algorithm, including ordering of CNAME and prune steps and constraints on which validation methods can use those steps.
Model: gpt-5.4-nano Confidence: 0.86 Result: passed
Effective date
2026-11-15
Voting opened
2026-06-23
Voting closed
2026-06-30
Discussion opened
2026-06-12
Discussion closed
2026-06-19
Applicability and conditions

2026-11-15 — CAs may use the prior Section 3.2.2.4 approach until November 15, 2026; on or after November 15, 2026, CAs must follow Section 3.2.2.4 of these Requirements. Prior to 2026-11-15, the CA SHALL adhere to Section 3.2.2.4 (and its subsections) of these Requirements OR Section 3.2.2.4 of Version 2.2.7 of the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates; effective 2026-11-15, the CA SHALL adhere to Section 3.2.2.4 of these Requirements.

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 27 yes 0 no 0 abstain
Certificate Consumers 4 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

31 Yes
0 No
0 Abstain

100% yes · 0% no

Proposers

Aaron Gable (Let’s Encrypt / ISRG) and endorsed by Rich Smith (DigiCert) and Chris Clements (Google).

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC0101v2: Clarify Authorization Domain NamesBallot SC0101v2: Clarify Authorization Domain NamesVoting Results Certificate Issuers 27 votes in total:

View on cabforum.org → Last fetched 2 hours ago

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action