[Servercert-wg] Ballot SC-XX: Modify section 3.2.2.4.7 to clarify CA Assisted DNS Validation [DRAFT]

[Slaughter, Michael]

Hello all,

Here is a draft ballot that proposes changes to section 3.2.2.4.7 of the TLS Server Certificate BRs that make it clear that CAs are authorized to operate domains for the purpose of assisting Applicants with performing DNS validation.

I am seeking two endorsers.

Note: Redline link will be replaced with the immutable commit link after two endorsers have been secured

Please provide any input/feedback that you may have on the PR linked below.

Thanks,
Michael Slaughter of Amazon Trust Services

-----------------

Purpose of Ballot SC-XX
This ballot will provide updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates related to section 3.2.2.4.7 "DNS Change". This ballot makes it clear that CAs are authorized to operate domains for the purpose of assisting applicants with domain control verification under method 3.2.2.4.7.

Notes:
* This ballot defines a "Canonical Authorization Domain Name".
* In the CNAME record: _somethingsomething.example.com. IN CNAME accountbindingid.cadomain.com
* _somethingsomething.example.com is an underscore prefixed Authorization Domain Name.
* accountbindingid.cadomain.com is the Canonical Authorization Domain Name.
* This ballot makes it clear that CAs are authorized to operate domains for the purpose of assisting applicants with domain control verification under method 3.2.2.4.7 and adds requirements for the practice.
* As observed with other ballots in the past, minor administrative updates must be made to the proposed ballot text before publication such that the appropriate Version # and Change History are accurately represented (e.g., to indicate these changes will be represented in Version 2.0.4).
* This ballot does not modify the “Guidelines for the Issuance and Management of Extended Validation Certificates”.

The following motion has been proposed by Michael Slaughter of Amazon, and endorsed by XX of XX and XX of XX.

— Motion Begins —

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates” (“Baseline Requirements”), based on Version 2.0.4.

MODIFY the Baseline Requirements as specified in the following Redline:

Here is a link to the GitHub Redline: https://github.com/cabforum/servercert/pull/501/files

— Motion Ends —

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (7+ days)
• Start time: XXXX-XX-XX 22:00:00 UTC
• End time: XXXX-XX-XX 22:00:00 UTC

Vote for approval (7 days)
• Start time: XXXX-XX-XX 22:00:00 UTC
• End time: XXXX-XX-XX 22:00:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240425/0f90e14f/attachment.html>