[cabfpub] ICANN, gTLD, internal names

Robert Relyea rrelyea at redhat.com
Fri Mar 15 16:47:35 MST 2013


On 03/15/2013 03:27 PM, Geoff Keating wrote:
> One thing that does affect CAs is that if a heavily used internal TLD like .corp is made global, then there's still the possibility of conflict between an internal CA and a cert that a global CA issues.
>
> For example, suppose Widgets Inc. uses widget.corp internally.  They have an internal CA and have issued a cert to www.widget.corp.  Now suppose ICANN allocates .corp and someone else registers widget.corp.  Even after 2016, that someone else can get a cert from a CABforum CA for www.widget.corp (since they own it) and then use that cert to attack Widgets Inc.
What, seriously? You are worried that the owner of the domain can 
man-in-the-middle a local unrouteable domain?

What ICANN is asking for is the Widgets, Inc. widget.corp cert be 
revoked 'now', so the first cert becomes invalid, since it hasn't been 
verified.

It's Widgets Inc. that has the invalid cert, not the true domain owner.


bob


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4521 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20130315/52ae3c21/attachment-0001.bin 


More information about the Public mailing list