← CABF Ballot Browser
SC-070
passed
Ballot SC070: Clarify the use of DTPs for Domain Control Validation
Server Certificate Working Group
Key dates
- Voting opened
- 15 May 2024 2 years ago
- Voting closed
- 02 Feb 2024 2 years ago
- IPR review ends
- 23 Mar 2024 2 years ago
- Discussion opened
- 02 Feb 2024 2 years ago
- Discussion closed
- 12 Feb 2024 2 years ago
Resources
GitHub diff
https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...00ea6e24c474fd0ab6eecc25cb8eb733fffc60c3
https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...00ea6e24c474fd0ab6eecc25cb8eb733fffc60c3
Redline
https://cabforum.org/2024/02/23/ballot-sc070-clarify-the-use-of-dtps-for-domain-control-validation/BR-redline.pdf
TLS-BRs-redlined.pdf
Document
https://cabforum.org/2024/02/23/ballot-sc070-clarify-the-use-of-dtps-for-domain-control-validation/BR.pdf
TLS-BRs
Document
https://cabforum.org/2024/02/23/ballot-sc070-clarify-the-use-of-dtps-for-domain-control-validation/BR.docx
TLS-BRs.docx
Document
https://cabforum.org/uploads/CABF-IPR-Policy-v.1.3_4APR18.pdf
CA/Browser Forum Intellectual Property Rights Policy
AI Summary
Ballot outcome
- The ballot is considered to have FAILED, with the resolution decided at F2F#64.
Purpose and scope
- Clarify existing language on the use of delegated third parties during domain and IP address control validation.
- Leaves existing language in place and adds specifics for DNS queries, WHOIS lookups, and contact with the Domain Name Registrar or IP Address Registration Authority.
- Adds the same restrictions to CAA checking.
Key requirement changes (as described in the ballot materials)
- CAA DNS queries MUST NOT be delegated to third parties, with an effective date of 2024-05-15.
- The CA MAY delegate performance of Section 3.2 initial identity validation requirements to a Delegated Third Party, except for:
- Section 3.2.2.4 validation of domain authorization or control
- Section 3.2.2.5 authentication for an IP address
- (effective 2024-05-15) Section 3.2.2.8 CAA records
- All DNS queries used to satisfy Section 3.2.2.4, Section 3.2.2.5, and (effective 2024-05-15) Section 3.2.2.8 MUST be made from the CA to authoritative nameservers, without the use of recursive resolvers operated outside the CA audit scope.
- Contact information for Domain Contacts MUST come from the WHOIS record, a DNS SOA record, or direct contact with the Domain Name Registrar of the Base Domain Name, and MUST be obtained directly by the CA, without the use of third-party services operated outside the CA audit scope.
- Contact information for IP Address Contacts MUST be obtained through direct contact with the IP Address Registration Authority, without the use of third-party services operated outside the CA audit scope.
Review and voting process dates (from the ballot page)
- Review period start: 23 February 2024 at 18:00 Eastern Time
- Review period end: 23 March 2024 at 18:00 Eastern Time
- Discussion dates shown on the page: 2024-02-02 to 2024-02-12
- Expected vote for approval dates shown on the page: 2024-02-12 to 2024-02-19
- Voting opened
- 2024-05-15
- Voting closed
- 2024-02-02
- IPR review ends
- 2024-03-23
- Discussion opened
- 2024-02-02
- Discussion closed
- 2024-02-12
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Certificate Issuers
28 yes
0 no
0 abstain
Certificate Consumers
4 yes
0 no
0 abstain
32
Yes
0
No
0
Abstain
Proposers
Aaron Gable (ISRG / Let’s Encrypt) and endorsed by Mads Henriksveen (Buypass) and Dimitris Zacharopoulos (HARICA).
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot SC070: Clarify the use of DTPs for Domain Control ValidationBallot SC070: Clarify the use of DTPs for Domain Control ValidationVoting Results This ballot is considered to have FAILED. This resolution was decided at F2F#64.
View on cabforum.org →
Last fetched 16 hours ago