[cabfpub] ICANN, gTLD, internal names

Robert Relyea rrelyea at redhat.com
Fri Mar 15 23:47:35 UTC 2013

On 03/15/2013 03:27 PM, Geoff Keating wrote:
> One thing that does affect CAs is that if a heavily used internal TLD like .corp is made global, then there's still the possibility of conflict between an internal CA and a cert that a global CA issues.
> For example, suppose Widgets Inc. uses widget.corp internally.  They have an internal CA and have issued a cert to www.widget.corp.  Now suppose ICANN allocates .corp and someone else registers widget.corp.  Even after 2016, that someone else can get a cert from a CABforum CA for www.widget.corp (since they own it) and then use that cert to attack Widgets Inc.
What, seriously? You are worried that the owner of the domain can 
man-in-the-middle a local unrouteable domain?

What ICANN is asking for is the Widgets, Inc. widget.corp cert be 
revoked 'now', so the first cert becomes invalid, since it hasn't been 

It's Widgets Inc. that has the invalid cert, not the true domain owner.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4521 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130315/52ae3c21/attachment-0001.p7s>

More information about the Public mailing list