[cabfpub] ICANN, gTLD, internal names

Hill, Brad bhill at paypal-inc.com
Fri Mar 15 20:31:37 MST 2013 

Geoff is right.  Or consider what happens when a widget corp employee takes his laptop home or to Starbucks.  His email client starts sending his name, password and email to exchange.corp

Brad Hill
Ecosystem Security
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad

On Mar 15, 2013, at 6:21 PM, "Geoff Keating" <geoffk at apple.com> wrote:

> 
> On 15/03/2013, at 4:47 pm, Robert Relyea <rrelyea at redhat.com> wrote:
> 
>> On 03/15/2013 03:27 PM, Geoff Keating wrote:
>>> One thing that does affect CAs is that if a heavily used internal TLD like .corp is made global, then there's still the possibility of conflict between an internal CA and a cert that a global CA issues.
>>> 
>>> For example, suppose Widgets Inc. uses widget.corp internally.  They have an internal CA and have issued a cert to www.widget.corp.  Now suppose ICANN allocates .corp and someone else registers widget.corp.  Even after 2016, that someone else can get a cert from a CABforum CA for www.widget.corp (since they own it) and then use that cert to attack Widgets Inc.
>> What, seriously? You are worried that the owner of the domain can man-in-the-middle a local unrouteable domain?
> 
> I'm worried that someone who is, perhaps, already inside Widget's network, can register its domain, get a certificate, and then intercept the traffic.
> 
> This is not the case where Widget's internal CA is publicly trusted.  The CA is installed only on their machines.
> 
>> What ICANN is asking for is the Widgets, Inc. widget.corp cert be revoked 'now', so the first cert becomes invalid, since it hasn't been verified.
> 
> It's not reasonable to say the first cert is 'invalid'.  Within the scope of Widget's CA, there is only one www.widget.corp and it's been issued properly.
> 
>> It's Widgets Inc. that has the invalid cert, not the true domain owner.
> 
> It could be said that Widgets Inc. should never have used .corp like this, they should have known better.  But also it could be said that the Internet community as a whole encouraged this kind of thing.  *I* would say that it doesn't matter who was at fault.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list