Ballot SC0101v2: Clarify Authorization Domain Names
Server Certificate Working Group
Key dates
- Effective date
- 15 Nov 2026 4 months from now
- Voting opened
- 23 Jun 2026 2 weeks ago
- Voting closed
- 30 Jun 2026 1 week ago
- Discussion opened
- 12 Jun 2026 1 month ago
- Discussion closed
- 19 Jun 2026 3 weeks ago
Resources
AI Summary
Result and scope
- Ballot SC0101v2 Clarify Authorization Domain Names was adopted by the Forum (Bylaw 2.3(6) and related quorum/participation requirements were MET).
- The ballot modifies Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates, focusing on how CAs derive and validate Authorization Domain Names (ADNs).
Key changes described in the ballot
- In Section 3.2.2.4, the ballot explicitly describes the algorithm a CA may use to derive an Authorization Domain Name from an applied-for FQDN.
- The ballot simplifies the definition of Authorization Domain Name to be merely descriptive and updates validation methods to describe how they validate control of the selected ADN.
- The ballot collapses previous statements about validation method suitability for wildcard and ending-in-the-same-suffix validation into a table in Section 3.2.2.4.
- As knock-on effects, the ballot simplifies the definitions of Base Domain Name and Domain Contact.
Compliance timing described in the ballot
- The ballot includes a provision allowing CAs to comply with Section 3.2.2.4 of the previous version of the Baseline Requirements until November 15, 2026.
Security and rationale described in the ballot
- The ballot states the existing definition of Authorization Domain Name has ambiguity about whether parts of the definition can be performed exclusively, in sequence, repeatedly, or otherwise.
- The ballot states that under some interpretations, it allows issuance for names over which the applicant has not demonstrated control.
- The ballot resolves the issue by more strictly describing the acceptable ADN derivation algorithm, including ordering of CNAME and prune steps and constraints on which validation methods can use those steps.
- Effective date
- 2026-11-15
- Voting opened
- 2026-06-23
- Voting closed
- 2026-06-30
- Discussion opened
- 2026-06-12
- Discussion closed
- 2026-06-19
2026-11-15 — CAs may use the prior Section 3.2.2.4 approach until November 15, 2026; on or after November 15, 2026, CAs must follow Section 3.2.2.4 of these Requirements. Prior to 2026-11-15, the CA SHALL adhere to Section 3.2.2.4 (and its subsections) of these Requirements OR Section 3.2.2.4 of Version 2.2.7 of the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates; effective 2026-11-15, the CA SHALL adhere to Section 3.2.2.4 of these Requirements.
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Proposers
Aaron Gable (Let’s Encrypt / ISRG) and endorsed by Rich Smith (DigiCert) and Chris Clements (Google).
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot SC0101v2: Clarify Authorization Domain NamesBallot SC0101v2: Clarify Authorization Domain NamesVoting Results Certificate Issuers 27 votes in total: