[cabfpub] Updated gTLD proposal

Mon Feb 4 10:37:45 MST 2013

Here's an updated gTLD proposal for tomorrow's discussion.  This update compiles all of the feedback I've received so far.  In particular, the modified motion reflects some new information I received from ICANN: 

1) Domains will not generally be publicly resolvable 30 days after the announcement.  Therefore, requiring a check during those 30 days doesn't add anything.
2)  Some of the gTLDs will take a while before they are publicly resolvable.  Because of this, the cut-off date should be tied to the public announcement. In addition, the plan is to release new gTLDs in batches.  This means that the number of certificates requiring revocation over the next year could be very significant, especially if .corp is granted.  

----------------

Jeremy Rowley made the following motion, and [Rick Andrews] and [Steve Roylance]  endorsed it:

---- Motion Begins ----
---- Erratum Begins ----

Add the following as new Section 11.1.3:

11.1    Authorization by Domain Name Registrant 

11.1.3 Wildcard Domain Validation

Before issuing a certificate with a wildcard character (*) in a CN or subjectAltName of type DNS-ID, the CA MUST establish and follow a documented procedure† that determines if the wildcard character occurs in the first label position to the left of a “registry-controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
If a wildcard would fall within the label immediately to the left of a registry-controlled† or public suffix, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example.com” to Example Co.).  

Prior to September 1, 2013, each CA MUST revoke any valid certificate that does not comply with this section of the Requirements.

†Determination of what is “registry-controlled” versus  the registerable portion of a Country Code Top-Level Domain Namespace is not standardized at the time of writing and is not a property of the DNS itself. Current best practice is to consult a “public suffix list” such as http://publicsuffix.org/.  If the process for making this determination is standardized by an RFC, then such a procedure SHOULD be preferred.

Add the following as new Section 11.1.4:

11.1.4 New gTLD Domains

CAs SHOULD NOT issue Certificates containing a new gTLD under consideration by ICANN. Prior to issuing a Certificate containing an Internal Server Name with a gTLD that ICANN has announced as under consideration to make operational, the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly registers the domain name. 

Within 30 days after ICANN has approved a new gTLD for operation, as evidenced by  publication of a contract with the gTLD operator on [www.ICANN.org] each CA MUST (1) compare the new gTLD against the CA’s records of valid certificates and (2) cease issuing Certificates containing a Domain Name that includes the new gTLD until after the CA has first verified the Subscriber's control over or exclusive right to use the Domain Name  in accordance with Section 11.1.

Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the Domain Name.

---- Motion Ends ----

---- Erratum Ends ----