[cabfpub] Refinement of gTLD requirements

Ryan Sleevi sleevi at google.com
Thu Feb 6 11:49:36 MST 2014 

On Thu, Feb 6, 2014 at 5:46 AM, Gervase Markham <gerv at mozilla.org> wrote:

> On 31/01/14 21:55, Ryan Sleevi wrote:
> > I would expect you to at least be re-issuing the certificate, since the
> > original certificate's domain validation procedures clearly failed the
> > requirements of 11.1.1 with respect to the "new" gTLD, and I would still
> > expect the previous certificate to be revoked.
>
> Ryan,
>
> Are you sure about this? My understanding was that we were attempting to
> create a safe overlap so that such certificates would not all need to be
> revoked.
>
> As an example, if BigCorp had an internal network which used ".bigcorp",
> and if they were to succeed in getting ".bigcorp" (indeed, this could be
> the sole reason they forked out $300K to get it, to avoid the 2015
> internal-certocalypse), then we would not want every certificate they
> are using internally, which may number in the thousands, to have to be
> revoked and reissued (potentially, bit-for-bit identically).
>
> Gerv
>

Gerv,

I do view such revocations as desirable, or at least requiring further
clarification within the BRs if we're not going to require it.

In particular, I'm concerned for the situation of CAs that have issued
"purely internal" certificates so BigCorp, which may not be BR compliant,
on the liberal interpretation that the Scope (Section 1 of BRs 1.1.6) only
apply to "[...] Certificates intended to be used for authenticating servers
accessible through the Internet." It's clear that the some CAs view a class
of issuance as "exempt" from the BRs, as we've seen within the discussions
of certain payment providers/POS systems.

I don't think it's sufficient to state something like "Everything else in
the cert is BR compliant", since there's a number of other time-gated ("at
time of issuance") aspects of the BRs - such as Section 7.1.2.

A clarification that might avoid revocation:
"Within 120 days after the publication of a contract for a new gTLD is
published on [www.icann.org], CAs MUST revoke each Certificate containing a
Domain Name that includes the new gTLD unless the CA can demonstrate the
certificate is compliant with all requirements of this document if it was
treated that the certificate issuance date was on or after such contract
publication."

Of course, this opens up a new issue - namely, that if the BRs have
tightened since the (intranet) certificate was issued, such a certificate
may no longer be compliant. Word smithing welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140206/eb9da5e0/attachment-0001.html

More information about the Public mailing list