[cabfpub] gTLD proposal

[Jeremy Rowley]

Hi everyone, 

 

Because ICANN will begin the process of issuing new generic Top Level
Domains (gTLDs) in 2012, certain Certificates for non-public names will need
to be revoked on an accelerated schedule in order to prevent collisions and
possible MITM attacks on newly registered domains.  ICANN is primary
concerned about the number of *.gTLD certificates that CAs have previously
issued.   For example, *.XXX may exist despite being .XXX being approved for
registration back in 2010.

The attached motion is intended to eliminate erratic use of wildcard
characters and mitigate the ICANN security concerns while providing a
transition period for affected customers.  I’m looking for an additional
endorser.

 

----------------


 


Jeremy Rowley made the following motion, and Rick Andrews  and
______________  endorsed it:


---- Motion Begins ----


---- Erratum Begins ----


Add the following as new Section 11.1.3:


11.1    Authorization by Domain Name Registrant 


11.1.3 Wildcard Domain Validation


Before issuing a certificate with a wildcard character (*) in a CN or
subjectAltName of type DNS-ID, the CA MUST establish and follow a documented
procedure† that determines if the wildcard character occurs in the first
label position to the left of a “registry-controlled” label or “public
suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further
explanation).

If a wildcard would fall within the label immediately to the left of a
registry-controlled† or public suffix, CAs MUST refuse issuance unless the
applicant proves its rightful control of the entire Domain Namespace. (e.g.
CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example.com” to
Example Co.).  

Prior to September 1, 2013, each CA MUST revoke any valid certificate that
does not comply with this section of the Requirements.

†Determination of what is “registry-controlled” versus  the registerable
portion of a Country Code Top-Level Domain Namespace is not standardized at
the time of writing and is not a property of the DNS itself. Current best
practice is to consult a “public suffix list” such as
<http://publicsuffix.org/> http://publicsuffix.org/.  If the process for
making this determination is standardized by an RFC, then such a procedure
SHOULD be preferred.


Add the following as new Section 11.1.4:


11.1.4 New gTLD Domains


Prior to issuing a Certificate containing an Internal Server Name with a
gTLD that ICANN has announced as under consideration to make operational,
the CA MUST provide a warning to the applicant that the gTLD may soon become
resolvable and that, at that time, the CA will revoke the Certificate unless
the applicant promptly registers the domain name. CAs SHOULD NOT issue
Certificates containing a new gTLD under consideration by ICANN.

Within 30 days after a CA is made aware that ICANN approved a new gTLD for
operation:

1)     Each CA MUST compare the new gTLD against the CA’s records of valid
certificates. 

2)     If a valid certificate contains a FQDN whose public suffix is the
same as the new gTLD, the CA MUST re-verify that the Subscriber is either
the Domain Name Registrant or has control over the FQDN in accordance with
Section 11.1.  

3)     The CA MUST revoke a Certificate containing a Domain Name that
includes the new gTLD if the Subscriber is not the Domain Name Registrant
and the Subscriber cannot demonstrate control over the domain within 60 days
after the new gTLD becomes publicly resolvable in the DNS. 


---- Motion Ends ----


---- Erratum Ends ----


Thanks,

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130130/a6962e3d/attachment.html