From be61f1296401b4fcc355d6b141b049f09e7cddfd Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Sun, 2 Mar 2025 17:44:12 -0500 Subject: [PATCH 01/14] Sunset .arpa --- docs/BR.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index eade2e03..72c0da16 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.1.4 +subtitle: Version 2.1.X author: - CA/Browser Forum -date: 1-March-2025 +date: X-Y-2025 copyright: | Copyright 2025 CA/Browser Forum @@ -148,6 +148,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.1.2 | SC80 | Strengthen WHOIS lookups and Sunset Methods 3.2.2.4.2 and 3.2.2.4.15 | 7-Nov-2024 | 16-Dec-2024 | | 2.1.3 | SC83 | Winter 2024-2025 Cleanup Ballot | 23-Jan-2025 | 24-Feb-2025 | | 2.1.4 | SC84 | DNS Labeled with ACME Account ID Validation Method | 28-Jan-2025 | 1-Mar-2025 | +| 2.1.X | SCXX | Sunset inclusion of Address and Routing Parameter Area Names | XX-YY-2025 | XX-YY-2025 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -208,6 +209,8 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2025-03-15 | 3.2.2.9 | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | | 2025-07-15 | 3.2.2.4 | CAs MUST NOT rely on Methods 3.2.2.4.2 and 3.2.2.4.15 to issue Subscriber Certificates. | +| 2025-09-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. | + ## 1.3 PKI Participants The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying-party software applications. @@ -301,6 +304,8 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Application Software Supplier**: A supplier of Internet browser software or other relying-party application software that displays or uses Certificates and incorporates Root Certificates. +**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Example: `1.1.168.192.in-addr.arpa`. + **Attestation Letter**: A letter attesting that Subject Information is correct written by an accountant, lawyer, government official, or other reliable third party customarily relied upon for such information. **Audit Period**: In a period-of-time audit, the period between the first day (start) and the last day of operations (end) covered by the auditors in their engagement. (This is not the same as the period of time when the auditors are on-site at the CA.) The coverage rules and maximum length of audit periods are defined in [Section 8.1](#81-frequency-or-circumstances-of-assessment). @@ -379,7 +384,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **High Risk Certificate Request**: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage, names contained in previously rejected certificate requests or revoked Certificates, names listed on the Miller Smiles phishing list or the Google Safe Browsing list, or names that the CA identifies using its own risk-mitigation criteria. -**Internal Name**: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA's Root Zone Database. +**Internal Name**: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top-Level Domain registered in IANA's Root Zone Database. **IP Address**: A 32-bit or 128-bit number assigned to a device that uses the Internet Protocol for communication. @@ -512,6 +517,8 @@ The script outputs: **Test Certificate**: This term is no longer used in these Baseline Requirements. +**Top-Level Domain**: From RFC 8499 (https://tools.ietf.org/html/rfc8499): "A Top-Level Domain is a zone that is one layer below the root, such as "com" or "jp"." + **Trustworthy System**: Computer hardware, software, and procedures that are: reasonably secure from intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and enforce the applicable security policy. **Unregistered Domain Name**: A Domain Name that is not a Registered Domain Name. @@ -1246,7 +1253,9 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti ### 4.2.2 Approval or rejection of certificate applications -CAs SHALL NOT issue certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). +CAs SHALL NOT issue Certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). + +Effective 2025-09-15, CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. ### 4.2.3 Time to process certificate applications @@ -2749,7 +2758,7 @@ Table: `GeneralName` within a `subjectAltName` extension | --- | - | ------ | | `otherName` | N | - | | `rfc822Name` | N | - | -| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | +| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2025-09-15, the entry MUST NOT contain an Address and Routing Parameter Area Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | | `x400Address` | N | - | | `directoryName` | N | - | | `ediPartyName` | N | - | From f1c2c5575d2ad0202dddcb67a1fa3842c3abd106 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Sun, 2 Mar 2025 17:46:33 -0500 Subject: [PATCH 02/14] Fix ballot name capitalization --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 72c0da16..452de7f9 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -148,7 +148,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.1.2 | SC80 | Strengthen WHOIS lookups and Sunset Methods 3.2.2.4.2 and 3.2.2.4.15 | 7-Nov-2024 | 16-Dec-2024 | | 2.1.3 | SC83 | Winter 2024-2025 Cleanup Ballot | 23-Jan-2025 | 24-Feb-2025 | | 2.1.4 | SC84 | DNS Labeled with ACME Account ID Validation Method | 28-Jan-2025 | 1-Mar-2025 | -| 2.1.X | SCXX | Sunset inclusion of Address and Routing Parameter Area Names | XX-YY-2025 | XX-YY-2025 | +| 2.1.X | SCXX | Sunset the Inclusion of Address and Routing Parameter Area Names | XX-YYY-2025 | XX-YY-2025 | \* Effective Date and Additionally Relevant Compliance Date(s) From b3d594c4942d83b200c90cba861299bbba88fa91 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Sun, 2 Mar 2025 20:53:57 -0500 Subject: [PATCH 03/14] Fix definition ordering, use IP address from RFC 5737 --- docs/BR.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 452de7f9..45fca5d2 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -292,6 +292,8 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S ### 1.6.1 Definitions +**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Example: `1.2.0.192.in-addr.arpa`. + **Affiliate**: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity. **Applicant**: The natural person or Legal Entity that applies for (or seeks renewal of) a Certificate. Once the Certificate is issued, the Applicant is referred to as the Subscriber. For Certificates issued to devices, the Applicant is the entity that controls or operates the device named in the Certificate, even if the device is sending the actual certificate request. @@ -304,8 +306,6 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **Application Software Supplier**: A supplier of Internet browser software or other relying-party application software that displays or uses Certificates and incorporates Root Certificates. -**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Example: `1.1.168.192.in-addr.arpa`. - **Attestation Letter**: A letter attesting that Subject Information is correct written by an accountant, lawyer, government official, or other reliable third party customarily relied upon for such information. **Audit Period**: In a period-of-time audit, the period between the first day (start) and the last day of operations (end) covered by the auditors in their engagement. (This is not the same as the period of time when the auditors are on-site at the CA.) The coverage rules and maximum length of audit periods are defined in [Section 8.1](#81-frequency-or-circumstances-of-assessment). From 951a3da65c731e1962e241a7cf7cb88dc919e9d0 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Tue, 22 Apr 2025 13:29:00 -0400 Subject: [PATCH 04/14] Add example from Dimitris --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 45fca5d2..22cb201f 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -292,7 +292,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S ### 1.6.1 Definitions -**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Example: `1.2.0.192.in-addr.arpa`. +**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `6.4.0.0.1.0.0.0.7.0.2.0.5.5.1.0.1.0.0.0.0.0.8.2.8.4.6.0.1.0.0.2.ip6.arpa` (IP version 6). **Affiliate**: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity. From eb77d84c32b461902c30e448b0dcfd6f7eb7f87f Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Tue, 22 Apr 2025 13:30:01 -0400 Subject: [PATCH 05/14] Bump version for Ubuntu runner --- .github/workflows/build-draft-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-draft-docs.yml b/.github/workflows/build-draft-docs.yml index a8af8a55..cefeeaf7 100644 --- a/.github/workflows/build-draft-docs.yml +++ b/.github/workflows/build-draft-docs.yml @@ -9,7 +9,7 @@ jobs: - 'EVG' - 'NSR' name: Build ${{ matrix.document }} - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout the code uses: actions/checkout@v3 From bc345f4920593f4202a7f99efa60c92a6d21af35 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 24 Apr 2025 22:10:55 -0400 Subject: [PATCH 06/14] Use RFC 3849 network for IPv6 example --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 22cb201f..acf8bc92 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -292,7 +292,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S ### 1.6.1 Definitions -**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `6.4.0.0.1.0.0.0.7.0.2.0.5.5.1.0.1.0.0.0.0.0.8.2.8.4.6.0.1.0.0.2.ip6.arpa` (IP version 6). +**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). **Affiliate**: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity. From 1bb8b58ff2c9c4c1c07bb406f6d7a19b36830984 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Tue, 16 Sep 2025 15:50:18 -0400 Subject: [PATCH 07/14] Apply suggestions from code review Co-authored-by: Dimitris Zacharopoulos --- docs/BR.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index acf8bc92..2ead8dc5 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -209,7 +209,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2025-03-15 | 3.2.2.9 | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | | 2025-07-15 | 3.2.2.4 | CAs MUST NOT rely on Methods 3.2.2.4.2 and 3.2.2.4.15 to issue Subscriber Certificates. | -| 2025-09-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. | +| 2026-03-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. | ## 1.3 PKI Participants @@ -292,7 +292,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S ### 1.6.1 Definitions -**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain is "arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). +**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain ends with the labels "in-addr.arpa" or "ip6.arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). **Affiliate**: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity. @@ -1255,7 +1255,7 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti CAs SHALL NOT issue Certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). -Effective 2025-09-15, CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. +Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. ### 4.2.3 Time to process certificate applications From aed13ec0faea683fcb72bd3226787bc37c3c618b Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Tue, 16 Sep 2025 15:50:31 -0400 Subject: [PATCH 08/14] Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 2ead8dc5..ea3250c6 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -2758,7 +2758,7 @@ Table: `GeneralName` within a `subjectAltName` extension | --- | - | ------ | | `otherName` | N | - | | `rfc822Name` | N | - | -| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2025-09-15, the entry MUST NOT contain an Address and Routing Parameter Area Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | +| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2026-03-15, the entry MUST NOT contain an Address and Routing Parameter Area Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | | `x400Address` | N | - | | `directoryName` | N | - | | `ediPartyName` | N | - | From 2efb50ae30fddc93bfb85e714a574056d3413611 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 18 Sep 2025 15:01:28 -0400 Subject: [PATCH 09/14] Fix definition --- docs/BR.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 0ab2d51f..5b69f11a 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -219,13 +219,12 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2026-03-15 | 3.2.2.8.1 | DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective. | | 2026-03-15 | 3.2.2.8.1 | CAs MUST NOT use local policy to disable DNSSEC validation on any DNS query associated CAA record lookups. | | 2026-03-15 | 3.2.2.8.1 | DNSSEC-validation errors observed by the Primary Network Perspective (e.g., SERVFAIL) MUST NOT be treated as permission to issue. | +| 2026-03-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing IP Reverse Address Domain Names. | | 2027-03-15 | 4.2.1 | Domain Name and IP Address validation maximum data reuse period is 100 days. | | 2027-03-15 | 6.3.2 | Maximum validity period of Subscriber Certificates is 100 days. | | 2029-03-15 | 4.2.1 | Domain Name and IP Address validation maximum data reuse period is 10 days. | | 2029-03-15 | 6.3.2 | Maximum validity period of Subscriber Certificates is 47 days. | -| 2026-03-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. | - ## 1.3 PKI Participants The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying-party software applications. @@ -307,7 +306,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S ### 1.6.1 Definitions -**Address and Routing Parameter Area Name**: A Domain Name whose Top-Level Domain ends with the labels "in-addr.arpa" or "ip6.arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). +**IP Reverse Address Domain Name**: A Domain Name whose Top-Level Domain ends with the labels "in-addr.arpa" or "ip6.arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). **Affiliate**: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity. @@ -1333,7 +1332,7 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti CAs SHALL NOT issue Certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). -Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Address and Routing Parameter Area Names. +Effective 2026-03-15, CAs SHALL NOT issue Certificates containing IP Reverse Address Domain Names. ### 4.2.3 Time to process certificate applications @@ -2871,7 +2870,7 @@ Table: `GeneralName` within a `subjectAltName` extension | --- | -- | ----- | | `otherName` | N | - | | `rfc822Name` | N | - | -| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2026-03-15, the entry MUST NOT contain an Address and Routing Parameter Area Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | +| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2026-03-15, the entry MUST NOT contain an IP Reverse Address Domain Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | | `x400Address` | N | - | | `directoryName` | N | - | | `ediPartyName` | N | - | From 469733c1d10ac5cfab8390c9d5e5d8dac1a282c6 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 18 Sep 2025 15:03:53 -0400 Subject: [PATCH 10/14] More fixup --- docs/BR.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 5b69f11a..8eb8ddd8 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -306,8 +306,6 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S ### 1.6.1 Definitions -**IP Reverse Address Domain Name**: A Domain Name whose Top-Level Domain ends with the labels "in-addr.arpa" or "ip6.arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). - **Affiliate**: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity. **Applicant**: The natural person or Legal Entity that applies for (or seeks renewal of) a Certificate. Once the Certificate is issued, the Applicant is referred to as the Subscriber. For Certificates issued to devices, the Applicant is the entity that controls or operates the device named in the Certificate, even if the device is sending the actual certificate request. @@ -406,6 +404,8 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **IP Address Registration Authority**: The Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC). +**IP Reverse Address Domain Name**: A Domain Name that ends with the Domain Labels "in-addr.arpa" or "ip6.arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). + **Issuing CA**: In relation to a particular Certificate, the CA that issued the Certificate. This could be either a Root CA or a Subordinate CA. **Key Compromise**: A Private Key is said to be compromised if its value has been disclosed to an unauthorized person, or an unauthorized person has had access to it. From 568959309a65b8150e0953075f3dc460103a611f Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Wed, 22 Oct 2025 09:21:44 -0400 Subject: [PATCH 11/14] Align definition with SC-91 --- docs/BR.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 8eb8ddd8..600d0a61 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -219,7 +219,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2026-03-15 | 3.2.2.8.1 | DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective. | | 2026-03-15 | 3.2.2.8.1 | CAs MUST NOT use local policy to disable DNSSEC validation on any DNS query associated CAA record lookups. | | 2026-03-15 | 3.2.2.8.1 | DNSSEC-validation errors observed by the Primary Network Perspective (e.g., SERVFAIL) MUST NOT be treated as permission to issue. | -| 2026-03-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing IP Reverse Address Domain Names. | +| 2026-03-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix. | | 2027-03-15 | 4.2.1 | Domain Name and IP Address validation maximum data reuse period is 100 days. | | 2027-03-15 | 6.3.2 | Maximum validity period of Subscriber Certificates is 100 days. | | 2029-03-15 | 4.2.1 | Domain Name and IP Address validation maximum data reuse period is 10 days. | @@ -404,7 +404,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **IP Address Registration Authority**: The Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC). -**IP Reverse Address Domain Name**: A Domain Name that ends with the Domain Labels "in-addr.arpa" or "ip6.arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). +**IP Reverse Zone Suffix**: One of the two FQDNs that consist of the Domain Labels "in-addr.arpa" or "ip6.arpa". These two FQDNs serve as the root of the IP version 4 and IP version 6 reverse mapping space. "in-addr.arpa" is the root of the IP version 4 reverse mapping space and "ip6.arpa" is the root of the IP version 6 reverse mapping space. **Issuing CA**: In relation to a particular Certificate, the CA that issued the Certificate. This could be either a Root CA or a Subordinate CA. @@ -1332,7 +1332,7 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti CAs SHALL NOT issue Certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). -Effective 2026-03-15, CAs SHALL NOT issue Certificates containing IP Reverse Address Domain Names. +Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Domain Names that end in a IP Reverse Address Suffix. ### 4.2.3 Time to process certificate applications @@ -2870,7 +2870,7 @@ Table: `GeneralName` within a `subjectAltName` extension | --- | -- | ----- | | `otherName` | N | - | | `rfc822Name` | N | - | -| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2026-03-15, the entry MUST NOT contain an IP Reverse Address Domain Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | +| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2026-03-15, the entry MUST NOT contain a Domain Name that ends in an IP Address Reverse Zone Suffix. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | | `x400Address` | N | - | | `directoryName` | N | - | | `ediPartyName` | N | - | From 8c97aea9abfc19b432f5999b148214e74ec837d2 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Wed, 22 Oct 2025 13:43:59 -0400 Subject: [PATCH 12/14] Fix defined term --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 600d0a61..7d347c1e 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1332,7 +1332,7 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti CAs SHALL NOT issue Certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). -Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Domain Names that end in a IP Reverse Address Suffix. +Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Domain Names that end in a IP Reverse Zone Suffix. ### 4.2.3 Time to process certificate applications From b249b191249e834aeffb32dc633249ad55658e1a Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Wed, 22 Oct 2025 13:44:52 -0400 Subject: [PATCH 13/14] "a" -> "an" --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 7d347c1e..0597b274 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1332,7 +1332,7 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti CAs SHALL NOT issue Certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). -Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Domain Names that end in a IP Reverse Zone Suffix. +Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix. ### 4.2.3 Time to process certificate applications From c4b8033bff54dc391b10672c04a782e1305586d4 Mon Sep 17 00:00:00 2001 From: Dimitris Zacharopoulos Date: Mon, 15 Dec 2025 13:42:50 +0200 Subject: [PATCH 14/14] Update version number and dates --- docs/BR.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 443c51b3..81e29c2c 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.1.9 +subtitle: Version 2.2.0 author: - CA/Browser Forum -date: 10-November-2025 +date: 15-December-2025 copyright: | Copyright 2025 CA/Browser Forum @@ -153,6 +153,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.1.7 | SC089 | Mass Revocation Planning | 23-Jul-2025 | 25-Aug-2025 | | 2.1.8 | SC092 | Sunset Precertificate Signing CAs | 03-Oct-2025 | 04-Nov-2025 | | 2.1.9 | SC088 | DNS TXT Record with Persistent Value DCV Method | 09-Oct-2025 | 10-Nov-2025 | +| 2.2.0 | SC086 | Sunset the Inclusion of Address and Routing Parameter Area Names | 2025-11-13 | 2026-12-15 | \* Effective Date and Additionally Relevant Compliance Date(s)