Ballot SC067v3: Require domain validation and CAA checks to be performed from multiple Network Perspectives Corroboration
Server Certificate Working Group
Key dates
- Effective date
- 15 Mar 2025 1 year ago
- Voting opened
- 15 Jul 2024 1 year ago
- Voting closed
- 22 Jul 2024 1 year ago
- Discussion opened
- 20 May 2024 2 years ago
- Discussion closed
- 15 Jul 2024 1 year ago
Resources
AI Summary
Ballot overview
- Ballot SC067v3 proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates (TLS BRs) related to Multi-Perspective Issuance Corroboration (MPIC).
- MPIC is described as performing domain validation and CAA checks from multiple Network Perspectives before certificate issuance.
- The ballot states that not all validation methods in TLS BR Sections 3.2.2.4 and 3.2.2.5 will require using MPIC.
What the ballot changes (as reflected in the provided evidence)
- Adds a requirement that CAs using specified validation methods must implement Multi-Perspective Issuance Corroboration as specified in TLS BR Section 3.2.2.9.
- Defines corroboration conditions for a Network Perspective to count as corroborating:
- For challenge-based validation, the Network Perspective must observe the same challenge information (Random Value or Request Token) as the Primary Network Perspective.
- For IP address validation, the Network Perspective must observe the same IP address as the Primary Network Perspective.
- For contact-based validation, the Network Perspective must observe the selected contact address used for domain validation observed by the Primary Network Perspective.
- Includes an exception noted in the evidence for Onion Domain Names (MPIC requirement is stated as Except for Onion Domain Names in multiple places in the provided diff text).
Intellectual Property Rights (IPR) review process (as stated on the ballot page)
- The ballot page includes an IPR review period notice for one Final Maintenance Guideline.
- Members with Essential Claims to exclude must forward a written Notice to Exclude Essential Claims to the Working Group Chair and also submit a copy to the CA/B Forum public mailing list before the end of the Review Period.
Voting outcome (as stated on the ballot page)
- Certificate Issuers: 22 votes total; 22 YES; 0 NO; 0 ABSTAIN.
- Certificate Consumers: 4 votes total; 3 YES; 0 NO; 0 ABSTAIN.
- The ballot page states that the Bylaws requirements were MET and that the ballot current status is passed.
- Effective date
- 2025-03-15
- Voting opened
- 2024-07-15
- Voting closed
- 2024-07-22
- Discussion opened
- 2024-05-20
- Discussion closed
- 2024-07-15
2025-03-15 — CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified, and the corroborating Network Perspective must observe the same challenge information (Random Value or Request Token) or the same IP address or selected contact address as the Primary Network Perspective, as applicable; the MPIC requirement is stated as Except for Onion Domain Names in the provided evidence. Applies to CAs when using the specified domain validation and CAA-check validation methods that require MPIC (as indicated by the provided diff text), with an exception noted for Onion Domain Names.
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Proposers
Chris Clements and Ryan Dickson of Google (Chrome Root Program) and endorsed by Aaron Gable (ISRG / Let’s Encrypt) and Wayne Thayer (Fastly).
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot SC067v3: Require domain validation and CAA checks to be performed from multiple Network Perspectives CorroborationBallot SC067v3: Require domain validation and CAA checks to be performed from multiple Network Perspectives CorroborationVoting Results Certificate Issuers 22 votes total, with no abstentions: