[cabfpub] Possible CAB Forum objection to some gTLD applications

Geoff Keating geoffk at apple.com
Fri Jun 29 21:12:00 UTC 2012 

I ran some queries against my database of certificates.  There were 385 domains for which I saw at least one certificate with a DNS name whose last component was in the list of 1300 new gTLD names.  There were 215 domains with a certificate where the domain name had more than one component (eg 'autodiscover.active' rather than just 'active').

These results included all certificates, including self-signed and expired.  Self-signed certificates are still affected because if a trusted CA issues autodiscover.active, it'll allow a man-in-the-middle attack against a self-signed autodiscover.active.

What I found surprising was the most popular name.  I had for sure expected something like 'corp' or 'exchange'.  It actually turns out that the most popular, by a huge margin, is 'box':

box    129973 (associated with 26164 certificates, almost all self-signed)
mail     7530 (of which almost all are just 'mail')
exchange 4881 (of which almost all are just 'exchange')
corp     3891
office    492

The full list, counted by DNS names (so two certificates each containing 'mail' and 'www.mail' total to 4), is this:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120629/5cfd9c3b/attachment-0008.html>
-------------- next part --------------


I also made a list of the number of unexpired trusted certificates in each proposed TLD, containing more than one component.  These are the certificates that would likely need to be revoked, if they haven't been already.  Here '.corp' is the most popular:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120629/5cfd9c3b/attachment-0009.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4350 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120629/5cfd9c3b/attachment-0002.p7s>

More information about the Public mailing list