<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think “phishing” is a type of fraud that comes immediately to mind as a type of fraud, but we didn’t want to miss “other types.” I know that sometimes I use the phrase “fraud or other illegal conduct” so that I cover other bad acts that are not defined as “fraud”. So, in the case of these cloud domains, one could argue that they have a higher risk that a victim will be phished, and therefore, a CA would have to handle such requests differently, but I’ll let others say what should be done differently. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Kelvin Yiu<br><b>Sent:</b> Monday, May 05, 2014 2:55 PM<br><b>To:</b> ben@digicert.com; 'Ryan Sleevi'<br><b>Cc:</b> public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Use of wildcard certificates by cloud operators<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That’s a good question. Personally, I think “fraudulent” includes cases where the site tries to impersonate another site and steal private information which would including phishing. However, I noticed the BR sometimes calls out phishing explicitly (such as in the definition of High Risk Certificate Request). <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> … which may include names at higher risk for phishing or other fraudulent usage, …<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Is there an intention in the BR to categorize “phishing” as distinct from “other fraudulent usages”?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kelvin<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Ben Wilson [<a href="mailto:ben@digicert.com">mailto:ben@digicert.com</a>] <br><b>Sent:</b> Monday, May 5, 2014 10:41 AM<br><b>To:</b> 'Ryan Sleevi'; Kelvin Yiu<br><b>Cc:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] Use of wildcard certificates by cloud operators<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>For clarification on #2, does the word “fraudulent” change anything? In other words, in your minds, what is the scenario that is considered “fraudulent”? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Monday, May 05, 2014 11:23 AM<br><b>To:</b> Kelvin Yiu<br><b>Cc:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Use of wildcard certificates by cloud operators<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Mon, May 5, 2014 at 10:10 AM, Kelvin Yiu <<a href="mailto:kelviny@exchange.microsoft.com" target="_blank">kelviny@exchange.microsoft.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This Netcraft post (<a href="http://news.netcraft.com/archives/2014/04/28/phishers-find-microsoft-azure-30-day-trial-irresistible.html" target="_blank">http://news.netcraft.com/archives/2014/04/28/phishers-find-microsoft-azure-30-day-trial-irresistible.html</a>) has highlighted some questions for us about wildcard certificate requirements in the BR and how they apply to cloud operators. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Microsoft Azure customers can create sub domain names under specific MS registered domains (e.g. <a href="http://myservice.azurewebsites.net" target="_blank">myservice.azurewebsites.net</a>). Users can access these FQDNs using HTTPS, which is is secured with a wildcard certificate managed by Azure. Customers do not have access to the private key of the wildcard certificate. Azure also maintains a process to monitor for fraudulent activities and will take down such sites. AFAIK, other cloud operators such as Google App Engine and Amazon Web Services uses wildcard certificates in a similar way. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Here are my questions to the forum:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p>1.<span style='font-size:7.0pt'> </span>Section 11.1.3 of the BR explicitly disallow wildcard certificates for registry controlled domains (e.g. *.com). The Mozilla maintained <a href="http://publicsuffix.org" target="_blank">http://publicsuffix.org</a> is cited as an example of a public suffix list where Azure, GAE, and AWS domains can be found. Does the current usage of wildcard certificates by cloud operators violate the BR? If so, is this intentional and what is the reason?<o:p></o:p></p></div></div><div><p class=MsoNormal>The Public Suffix List is presently divided into two sections - ICANN-assigned suffices (eg: gTLDs, ccTLDs) and "Private" (enterprise) suffices, for which Azure falls under (as do many other hosted services, such as AWS and Google App Engine)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In both cases, things are fuzzy - in a know-it-when-I-see-it sort of way. That is, it's easy to say something like "*.com" should be invalid. For something like *.<a href="http://appspot.com">appspot.com</a> or *.<a href="http://azurewebsites.net">azurewebsites.net</a>, one would say that it should be invalid for "just anyone" to register, but it should be valid for Google/Microsoft (respectively) to register - as they have. So perhaps we'd say this is a "high-risk domain" and requires manual vetting, but it's hard to say as a general rule it should be prohibited.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Further, it gets more troubling with something like *.nike (as a hypothetical). If Nike doesn't allow third-party registrations, but instead fully operates the domain - much like *.<a href="http://appspot.com">appspot.com</a> or *.<a href="http://azurewebsites.net">azurewebsites.net</a> - should it be allowed to register a wildcard cert? Maybe, maybe not. (For the record, Chrome, in present form, would reject it, as it would any wildcard to an ICANN/IANA-assigned gTLD)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Note that Section 11.1.3 provides for registrations in *.<a href="http://azurewebsites.net">azurewebsites.net</a> and *.<a href="http://appspot.com">appspot.com</a> - as well as *.nike - in its present form, in the first sentence of the second paragraph:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>"If a wildcard would fall within the label immediately to the left of a registry-controlled† or public suffix, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace."<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p>2.<span style='font-size:7.0pt'> </span>Section 13.1.5 of the BR explicitly require wildcard certificates that were “used to authenticate fraudulently misleading subordinate FQDN” to be revoked within 24 hours. If the fraudulent sites never had access to the private key of the wildcard certificate and the cloud operator has a process to take down fraudulent sites, should these wildcard certificates be required to be revoked?<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I don't have a good answer for this, and will probably need to think more before responding. I can see positive and negative outcomes with either answer.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'>Kelvin<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>