<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 6, 2014 at 5:46 AM, Gervase Markham <span dir="ltr"><<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">On 31/01/14 21:55, Ryan Sleevi wrote:<br>
> I would expect you to at least be re-issuing the certificate, since the<br>
> original certificate's domain validation procedures clearly failed the<br>
> requirements of 11.1.1 with respect to the "new" gTLD, and I would still<br>
> expect the previous certificate to be revoked.<br>
<br>
</div>Ryan,<br>
<br>
Are you sure about this? My understanding was that we were attempting to<br>
create a safe overlap so that such certificates would not all need to be<br>
revoked.<br>
<br>
As an example, if BigCorp had an internal network which used ".bigcorp",<br>
and if they were to succeed in getting ".bigcorp" (indeed, this could be<br>
the sole reason they forked out $300K to get it, to avoid the 2015<br>
internal-certocalypse), then we would not want every certificate they<br>
are using internally, which may number in the thousands, to have to be<br>
revoked and reissued (potentially, bit-for-bit identically).<br>
<br>
Gerv<br>
</blockquote></div><br></div><div class="gmail_extra">Gerv,</div><div class="gmail_extra"><br></div><div class="gmail_extra">I do view such revocations as desirable, or at least requiring further clarification within the BRs if we're not going to require it.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">In particular, I'm concerned for the situation of CAs that have issued "purely internal" certificates so BigCorp, which may not be BR compliant, on the liberal interpretation that the Scope (Section 1 of BRs 1.1.6) only apply to "[...] Certificates intended to be used for authenticating servers accessible through the Internet." It's clear that the some CAs view a class of issuance as "exempt" from the BRs, as we've seen within the discussions of certain payment providers/POS systems.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">I don't think it's sufficient to state something like "Everything else in the cert is BR compliant", since there's a number of other time-gated ("at time of issuance") aspects of the BRs - such as Section 7.1.2.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">A clarification that might avoid revocation:</div><div class="gmail_extra">"Within 120 days after the publication of a contract for a new gTLD is published on [<a href="http://www.icann.org">www.icann.org</a>], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the CA can demonstrate the certificate is compliant with all requirements of this document if it was treated that the certificate issuance date was on or after such contract publication."</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Of course, this opens up a new issue - namely, that if the BRs have tightened since the (intranet) certificate was issued, such a certificate may no longer be compliant. Word smithing welcome.</div>
</div>