Ballot SC033: TLS Using ALPN Method

Ballot overview

• Ballot SC033: TLS Using ALPN Method modified the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
• The ballot replaced the existing TLS using a random number method with a new TLS using ALPN method based on RFC 8737.
• It was proposed as a Final Maintenance Guideline.

What changed

• Section 3.2.2.4.10 was retired and must not be used.
• Prior validations using that method and validation data gathered according to that method must not be used to issue certificates.
• A new section 3.2.2.4.20, TLS Using ALPN, was added.
• The new method confirms control over a FQDN by negotiating a new application layer protocol using the TLS ALPN extension as defined in RFC 8737.
• The token used for this method must not be used for more than 30 days from its creation, unless the CA’s CPS specifies a shorter validity period.
• After validation with this method, the CA may not issue certificates for other FQDNs that end with all the labels of the validated FQDN unless it performs a separate validation for that FQDN using an authorized method.
• The method is not suitable for validating wildcard domain names.

Ballot process and vote

• Discussion period: 31-July, 2020 17:00 UTC to not before 7-August, 2020 17:00 UTC.
• Voting period: 7-August, 2020 20:00 UTC to 14-August, 2020 20:00 UTC.
• The ballot page states the voting period ended and the ballot passed.
• Voting by Certificate Issuers: 22 total votes, 22 yes, 0 no, 0 abstain.
• Voting by Certificate Consumers: 6 total votes, 6 yes, 0 no, 0 abstain.
• The page states the bylaw approval requirements were met and quorum was met.

Effective date and applicability

• The supplied evidence does not state a separate compliance or effective date beyond the voting period ending and the ballot passing.
• No conditional rollout or phased applicability date is stated in the evidence.