Ballot SC084: DNS Labeled with ACME Account ID Validation Method

Outcome

• The ballot met all stated bylaw adoption requirements.
• Certificate Issuers cast 19 YES, 0 NO, 0 ABSTAIN.
• Certificate Consumers cast 4 YES, 0 NO, 0 ABSTAIN.
• The quorum requirement was met with a quorum of 11.
• A 30-day IPR review period was announced for one Final Maintenance Guideline.

What the ballot does

• Adds a new ACME domain validation method to the TLS Baseline Requirements.
• The new method is Section 3.2.2.4.21, DNS Labeled with Account ID - ACME.
• The method confirms the Applicant's control over the FQDN by performing the dns-account-01 challenge procedure from draft 00 of the ACME DNS Labeled With ACME Account ID Challenge draft.

Purpose and rationale

• The ballot says the new method is similar to ACME dns-01.
• It is intended to solve a conflict that arises when organizations use multiple cloud providers and each provider automates DNS validation by asking for a CNAME delegation.
• The ballot explains that dns-01 hard-codes the _acme-challenge label and DNS standards allow only one CNAME record per zone, creating the conflict this method addresses.
• The validation domain name is made unique by adding a prepended label calculated from the ACME account ID.
• The ballot says this approach aligns the method with similar domain name validation techniques documented by the DNS Operations WG.
• The ballot references the current stable draft RFC and says a subsequent ballot will update the reference once the draft becomes an official RFC.

Normative changes in the added method

• The token defined in Section 3.1 of the referenced draft must not be used for more than 30 days from its creation.
• A CPS may specify a shorter token validity period, and if it does, the CA must follow its CPS.
• CAs using this method must implement Multi-Perspective Issuance Corroboration as specified in Section 3.2.2.9.
• For corroboration, a Network Perspective must observe the same token as the Primary Network Perspective.
• After validating an FQDN with this method, the CA may also issue certificates for other FQDNs that end with all the domain labels of the validated FQDN.
• The method is suitable for validating Wildcard Domain Names.

Process details

• The motion proposed modifying the TLS Baseline Requirements based on Version 2.1.2 using the linked redline.
• The motion was proposed by Wayne Thayer and endorsed by Ben Wilson, Corey Bonnell, Dustin Hollenback, and Ryan Dickson.
• The ballot was processed as a Final Maintenance Guideline.
• The discussion period ran from 2025-01-10 20:00 UTC to 2025-01-21 17:00 UTC.
• The voting period ran from 2025-01-21 17:00 UTC to 2025-01-28 17:00 UTC.
• The review period ran from 2025-01-28 18:00:00 UTC to 2025-02-27 18:00:00 UTC.