[cabfpub] ICANN, gTLD, internal names

Geoff Keating geoffk at apple.com
Sat Mar 16 00:20:53 UTC 2013


On 15/03/2013, at 4:47 pm, Robert Relyea <rrelyea at redhat.com> wrote:

> On 03/15/2013 03:27 PM, Geoff Keating wrote:
>> One thing that does affect CAs is that if a heavily used internal TLD like .corp is made global, then there's still the possibility of conflict between an internal CA and a cert that a global CA issues.
>> 
>> For example, suppose Widgets Inc. uses widget.corp internally.  They have an internal CA and have issued a cert to www.widget.corp.  Now suppose ICANN allocates .corp and someone else registers widget.corp.  Even after 2016, that someone else can get a cert from a CABforum CA for www.widget.corp (since they own it) and then use that cert to attack Widgets Inc.
> What, seriously? You are worried that the owner of the domain can man-in-the-middle a local unrouteable domain?

I'm worried that someone who is, perhaps, already inside Widget's network, can register its domain, get a certificate, and then intercept the traffic.

This is not the case where Widget's internal CA is publicly trusted.  The CA is installed only on their machines.

> What ICANN is asking for is the Widgets, Inc. widget.corp cert be revoked 'now', so the first cert becomes invalid, since it hasn't been verified.

It's not reasonable to say the first cert is 'invalid'.  Within the scope of Widget's CA, there is only one www.widget.corp and it's been issued properly.

> It's Widgets Inc. that has the invalid cert, not the true domain owner.

It could be said that Widgets Inc. should never have used .corp like this, they should have known better.  But also it could be said that the Internet community as a whole encouraged this kind of thing.  *I* would say that it doesn't matter who was at fault.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130315/1d312b6e/attachment-0001.p7s>


More information about the Public mailing list