[cabfpub] gTLD proposal
steve.roylance at globalsign.com
Thu Jan 31 16:32:17 UTC 2013
You can add Steve Roylance of GlobalSign endorsed it as well as Rick. It
was in my original Ballot 92 text before we slimmed it down.
P.S. I'm not at the F2F, but Ryan will be there.
On 31/01/2013 16:19, "Jeremy Rowley" <jeremy.rowley at digicert.com> wrote:
>Thanks Gerv - comments in-line.
>On 31/01/13 05:36, Jeremy Rowley wrote:
>> Add the following as new Section 11.1.4:
>> 11.1.4 New gTLD Domains
>> Prior to issuing a Certificate containing an Internal Server Name with
>> a gTLD that ICANN has announced as under consideration to make
>We should add some references so that CAs know where the official place
>is to look for such an announcement, or for "ICANN approval" as used
>later in the clause.
>[JR] I'm happy to add a link once ICANN has established a set URL for
>these announcements. One of the things I'd like to discuss with Jeff
>Moss at the face-to-face is advanced notice for CAs of a new gTLDs
>approval and a location where CAs can check the status of the proposed
> the CA MUST provide a warning to the applicant that the
>> gTLD may soon become resolvable and that, at that time, the CA will
>> revoke the Certificate unless the applicant promptly registers the
>> domain name. CAs SHOULD NOT issue Certificates containing a new gTLD
>> under consideration by ICANN.
>This second sentence seems to say "you shouldn't do the things we are
>regulating in the first sentence". Or have I misunderstood?
>[JR] The first sentence only requires a warning to customers. The second
>sentence recommends that CAs immediately stop issuing these type of
>certificates. I realize this is not feasible in all cases, which is why
>this is a "SHOULD" instead of a "MUST"
>> 3) The CA MUST revoke a Certificate containing a Domain Name that
>> includes the new gTLD if the Subscriber is not the Domain Name
>> Registrant and the Subscriber cannot demonstrate control over the
>> domain within 60 days after the new gTLD becomes publicly resolvable in
>I believe the original form had an "immediate revocation if it turns up
>visible on the Internet" clause? Did you decide to drop that?
>[JR] Yes. Considering that many of these certificates also include an
>FQDN, they will likely be available on the Internet. Most of the new
>gTLDs will not be operational immediately after the announcement and
>since there is only a 60 day phase out for these certificate, I'd rather
>not unnecessarily complicate the process.
>One thing I noticed is that the motion lacked a clear requirement not to
>issue these certificates after the gTLD is approved by ICANN. As such,
>I'd like to modify the motion slightly:
>Jeremy Rowley made the following motion, and [Rick Andrews] and
>______________ endorsed it:
>---- Motion Begins ----
>---- Erratum Begins ----
>Add the following as new Section 11.1.3:
>11.1 Authorization by Domain Name Registrant
>11.1.3 Wildcard Domain Validation
>Before issuing a certificate with a wildcard character (*) in a CN or
>subjectAltName of type DNS-ID, the CA MUST establish and follow a
>documented procedure† that determines if the wildcard character occurs in
>the first label position to the left of a “registry-controlled” label or
>“public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for
>If a wildcard would fall within the label immediately to the left of a
>registry-controlled† or public suffix, CAs MUST refuse issuance unless
>the applicant proves its rightful control of the entire Domain Namespace.
>(e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue
>“*.example.com” to Example Co.).
>Prior to September 1, 2013, each CA MUST revoke any valid certificate
>that does not comply with this section of the Requirements.
>†Determination of what is “registry-controlled” versus the registerable
>portion of a Country Code Top-Level Domain Namespace is not standardized
>at the time of writing and is not a property of the DNS itself. Current
>best practice is to consult a “public suffix list” such as
>http://publicsuffix.org/. If the process for making this determination
>is standardized by an RFC, then such a procedure SHOULD be preferred.
>Add the following as new Section 11.1.4:
>11.1.4 New gTLD Domains
>Prior to issuing a Certificate containing an Internal Server Name with a
>gTLD that ICANN has announced as under consideration to make operational,
>the CA MUST provide a warning to the applicant that the gTLD may soon
>become resolvable and that, at that time, the CA will revoke the
>Certificate unless the applicant promptly registers the domain name. CAs
>SHOULD NOT issue Certificates containing a new gTLD under consideration
>Within 30 days after ICANN has approved a new gTLD for operation, as
>evidenced by an announcement on [www.ICANN.org]:
>1) Each CA MUST compare the new gTLD against the CA’s records of valid
>2) If a valid certificate contains a FQDN whose public suffix is the same
>as the new gTLD, the CA MUST re-verify that the Subscriber is either the
>Domain Name Registrant or has control over the FQDN in accordance with
>3) The CA MUST cease issuing Certificates containing a Domain Name that
>includes the new gTLD unless the CA has first verified the Subscriber's
>control over or exclusive right to use the Domain Name in accordance
>with Section 11.1.
>4) The CA MUST revoke a Certificate containing a Domain Name that
>includes the new gTLD if the Subscriber is not the Domain Name Registrant
>and the Subscriber cannot demonstrate control over the domain within 60
>days after the new gTLD becomes publicly resolvable in the DNS.
>---- Motion Ends ----
>---- Erratum Ends ----
>Public mailing list
>Public at cabforum.org
More information about the Public