Ballot SC045: Wildcard Domain Validation

Ballot overview

• Ballot SC045: Wildcard Domain Validation was a Final Maintenance Guideline in the Server Certificate Working Group.
• It addressed security issues with using Baseline Requirements methods 3.2.2.4.6, 3.2.2.4.18, and 3.2.2.4.19 to authenticate an entire domain namespace.
• The ballot states these methods rely on an HTTP-based demonstration of control and only demonstrate control over a particular host and service, rather than the entire Domain Namespace.

Voting results

• Certificate Issuers: 22 yes votes, 0 no votes, 0 abstentions.
• Certificate Consumers: 5 yes votes, 0 no votes, 0 abstentions.
• The ballot met the Bylaw 2.3(f) voting thresholds for both Certificate Issuers and Certificate Consumers.
• The ballot also met the requirement that at least one Certificate Issuer and one Certificate Consumer vote in favor.
• Quorum was met; half of the currently active members at the start of voting was 13, so quorum for this ballot was 14.
• The ballot entered the IP Rights Review Period after voting.

Requirements adopted

• Effective 2021-12-01, CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN.
• For method 3.2.2.4.6, the linked redline shows that for certificates issued prior to 2021-12-01, the CA MAY also issue certificates for other FQDNs that end with all the labels of the validated FQDN, but for certificates issued on or after 2021-12-01, the CA MUST NOT do so unless it performs a separate validation for that FQDN using an authorized method.
• The same prior-to-2021-12-01 and on-or-after-2021-12-01 treatment is shown for methods 3.2.2.4.18 and 3.2.2.4.19.
• The redline also changes method 3.2.2.4.20 so that once the FQDN has been validated using that method, the CA MUST NOT issue certificates for other FQDNs that end with all the labels of the validated FQDN unless it performs a separate validation for that FQDN using an authorized method.
• The linked artifact also updates Appendix B so that the CA may verify .onion control using methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19, must use Tor protocol to establish the connection, must not delegate the connection to a third party such as Tor2Web, and must not issue wildcard certificates or use the methods as Authorization Domain Names except as specified by those methods.

Notes from the ballot text

• The ballot says it interacts with Ballot SC42: 398-day Re-use Period and presents two versions depending on whether SC42 finishes the IP review period without issues.
• The ballot text includes the statement that if SC42 is adopted, 3.2.2.4.6 does not need to change because no past validations can be reused to issue new certificates after the effective date.
• If SC42 were to fail, 3.2.2.4.6 is also modified to keep consistent with .18 and .19.