<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 15, 2014 at 1:49 PM, Ryan Sleevi <span dir="ltr"><<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On Wed, Jan 15, 2014 at 10:37 AM, Bruce Morton <span dir="ltr"><<a href="mailto:bruce.morton@entrust.com" target="_blank">bruce.morton@entrust.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ryan,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I hear your objection, but here is an example of what is happening:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">A company like Honda gets a publicly trusted SSL certificate which includes the SAN for honda.tokyo. ICANN approved .tokyo as a new gTLD. Honda has a legitimate
certificate, but they just need to register honda.tokyo. The problem is the registry is not available within 120 days. Is it legitimate that the CA must revoke the certificate, Honda must find a new solution, then when the registry is available that Honda
must then reverse the situation?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The 30 day issue is just a number and can be debated. With the current policy the registry could be available in 60 days, but there are 120 days until the certificate
must be revoked, so an attack problem already exists.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks again for your review, Bruce.</span></p></div></div></blockquote><div><br></div></div><div>Hi Bruce,</div>
<div><br></div><div>So, there's a couple problems in this scenario.</div><div><br></div><div>1) Honda should not hav egotten a publicly trusted certificate which includes a SAN for honda.tokyo.</div><div><br></div><div>
We've agreed this is a problematic process, and in a user agent like Chrome, will be outright rejected as such. While it's extremely unfortunate that they were able to get such a cert in the first place, I see it as a "bug", not a "feature".</div>
<div><br></div><div>2) Yes. Honda, nor any company for that matter, should be able to obtain honda.tokyo until they can demonstrate ownership.</div><div><br></div><div>The revocation requirement exists because there are too many nuances here, and even more unfortunately, too many internal server names that have been issued.</div>
<div><br></div><div>3) ICANN's advice to new registrants has been precipitated based on the CA/B Forum's requirements. In particular, registries that allow registration in 30 days - or 60 days - is making unfortunate security decisions that unquestionably put their customers/registrants at risk.</div>
<div><br></div><div>This is why, for example, ICANN / the SSAC canvassed CAs to try to understand the risks, as well as help inform new applicants the risks based on different timing.</div><div><br></div><div>Much like Chrome does not respect internal server names from publicly trusted CAs, we'd strongly oppose any measures that seek to loosen the current requirements for revocation. Ideally, we'd love to see the practice ceased altogether.</div>
<div><br></div><div>Best regards,</div><div>Ryan</div><div><div class="h5"><div> </div></div></div></div></div></div></blockquote><div><br></div><div>Reposting to cabfpub as well, per earlier.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple">
<div><p class="MsoNormal">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>]
<br>
<b>Sent:</b> Thursday, January 09, 2014 1:27 PM<br>
<b>To:</b> Bruce Morton<br>
<b>Cc:</b> <a href="mailto:questions@cabforum.org" target="_blank">questions@cabforum.org</a>; CABFPub</span></p><div><br>
<b>Subject:</b> Re: [cabfquest] New gTLD Issue<u></u><u></u></div><p></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Thu, Jan 9, 2014 at 8:58 AM, Bruce Morton <<a href="mailto:bruce.morton@entrust.com" target="_blank">bruce.morton@entrust.com</a>> wrote:<u></u><u></u></p><div><div>
<div>
<div>
<p class="MsoNormal">I’m not sure if this has been discussed, but I see a problem with moving to new gTLDs.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">BR 11.1.4 states “Within 120 days after the publication of a contract for a new gTLD is published on [<a href="http://www.icann.org" target="_blank">www.icann.org</a>], CAs MUST
revoke each Certificate containing a Domain Name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the Domain Name.”<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">The solution is to advise the customer to register the domain and if they cannot, then the certificate would be revoked. This does assume that a registry is available. The problem
is that there is no guarantee that the registry will be available within 120 days.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">In many cases the Subscriber will be eligible to register the domain. If there is no registry, then there is no conflict with anyone else registering the same domain name. As such
there is no increased risk.<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The goal is, of course, to phase these names out entirely, and the plan described is a temporary plan until 1 November 2015 comes in to play and no new private registrations are allowed. Some browsers (eg: Chrome) have gone ahead and already
disallowed publicly trusted CAs (eg: those in the known root stores) from issuing against non-IANA assigned TLDs.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I’m trying to figure out the wording for the standard, but if there is no registry available after 120 days, then the certificate SHOULD NOT be revoked. The Subscriber should be
given 30 days from when the registry is available to get the domain deployed. The problem is there is no notice when a registry is available, so as a service, the CA could check for the registry on a regular basis and advise the Subscriber when the registry
is available.<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The goal of the wording was to prevent a situation where the current subscriber is unable to register the name, and some other party - presumably with an as-legitimate-or-more-legitimate claim to the name - is able to register. By allowing
30 days from when the registry is available, this creates an opportunity for the subscriber to 'mount an attack' for up to 30 days before the CA performs the registration-or-revoke check.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">As I read it, the language here provides for subscribers who are also applying for registries, since even after gTLD approval, there is still the execution of the registry agreement and pre-delegation testing.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Speaking on the browser side, we'd strongly oppose any proposals or interpretations that encourage the continued use of these certificates. The choice of 120 days was a compromise from the initial proposal of "immediate". The goal of 120
days is not to give a window of continued acceptable operation - it's to provide a maximum upper-bound of time needed for the subscriber to transition away from the name. The only equitable AND enforceable balance is one that's applied consistently.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">It should also be determined how this would be integrated with BR 9.2.1 which states that certificates without registered domains must not be issued after 1 November 2015 and must
be revoked by 1 October 2016. If the gTLD has been approved, but there is no registry, then we should consider not taking this action until a registry is available. <u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Respectfully, I would have to disagree. These names should not have been issued to begin with, since it undermines the security of SSL for all users who might use those names, and assurances that customers are "OV validated" does little
to provide any sort of programmatic guarantees.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Bruce Morton<u></u><u></u></p>
<p class="MsoNormal">Entrust Certificate Services<u></u><u></u></p>
<p class="MsoNormal"><a href="tel:%2B1%20613.270.3743" target="_blank">+1 613.270.3743</a><u></u><u></u></p>
<p class="MsoNormal"><a href="http://www.entrust.com/author/bruce-morton/" target="_blank">ECS Blog</a><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Questions mailing list<br>
<a href="mailto:Questions@cabforum.org" target="_blank">Questions@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/questions" target="_blank">https://cabforum.org/mailman/listinfo/questions</a><u></u><u></u></p>
</blockquote>
</div></div></div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div>
</blockquote></div></div></div><br></div></div>
</blockquote></div><br></div></div>