<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Yes, I agree with Robin. There is no requirement to make every publically trusted certificate available on the internet. The intent of this was to require subscribers to use this certificate only for those FQDNs which are in the SAN and they must not use it on other web servers (presumably to support some sort of attack). If this was truly a requirement then every cert with internal server names would have broken this rule since they are normally not publically visible.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><br>Doug<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></a></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Robin Alden<br><b>Sent:</b> Wednesday, November 11, 2015 5:11 AM<br><b>To:</b> 'Geoff Keating' <geoffk@apple.com>; 'Peter Bowen' <pzbowen@gmail.com><br><b>Cc:</b> 'Dean Coclin' <Dean_Coclin@symantec.com>; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Misissuance of certificates<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I’m afraid it goes too far to imply that there is a requirement for the subscriber to put their certificate on the public internet.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>There is no such requirement.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>9.6.3 does not require it.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>9.6.3 requires that the server is “accessible at the subjectAltName(s) listed in the Certificate”. If that is on the subscriber’s private network then that’s fine.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>While internal names are permitted in certificates it would have been futile to require them to resolve on the public internet.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>For FQDNs we only require that the applicant demonstrates that they are the registrant or have ownership or control of the “Authorization Domain” (to borrow a defined term from the upcoming Domain Validation ballot). We do not require a demonstration of control or even a test for presence of the FQDN on the internet.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I don’t recall how 9.6.3.4 came to be written, but it seems to me to be a requirement on subscribers to use server certificates on servers where they are obviously usable.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If a subscriber is deploying a certificate onto a server where it is not obviously usable then either they are up to no good with it or they are too dumb or too clever to have nice things and it should be taken away from them. I could see an argument for 9.6.3.4 being too overbearing and I would not mourn its loss, but its presence or absence does not forbid the use of certificates on private networks.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Regards<br>Robin<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Geoff Keating<br><b>Sent:</b> 11 November 2015 07:00<br><b>To:</b> Ryan Sleevi<br><b>Cc:</b> Dean Coclin; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Misissuance of certificates<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB><o:p> </o:p></span></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB>On 10 Nov 2015, at 8:27 PM, Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote<span style='color:#1F497D'> (for Peter Bowen)</span>:<o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB><o:p> </o:p></span></p><div><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>the subscriber have "[a]n obligation and warranty to install the<br>Certificate only on servers that are accessible at the<br>subjectAltName(s) listed in the Certificate". If the subscriber has</span><span lang=EN-GB><o:p></o:p></span></p></div></blockquote></div><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB><o:p> </o:p></span></p><div><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB>The key word here is ‘only’. Honored more in the breach, alas.<o:p></o:p></span></p></div></div></div></body></html>