[cabfpub] Refinement of gTLD requirements

Jeremy Rowley jeremy.rowley at digicert.com
Thu Feb 6 19:01:16 UTC 2014

Since, as you pointed out, some CAs may consider purely internal server certs exempt under the scope section of the BRs, I’m not sure what the language change actually accomplishes.




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Thursday, February 06, 2014 11:50 AM
To: Gervase Markham
Cc: Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Refinement of gTLD requirements




On Thu, Feb 6, 2014 at 5:46 AM, Gervase Markham <gerv at mozilla.org> wrote:

On 31/01/14 21:55, Ryan Sleevi wrote:
> I would expect you to at least be re-issuing the certificate, since the
> original certificate's domain validation procedures clearly failed the
> requirements of 11.1.1 with respect to the "new" gTLD, and I would still
> expect the previous certificate to be revoked.


Are you sure about this? My understanding was that we were attempting to
create a safe overlap so that such certificates would not all need to be

As an example, if BigCorp had an internal network which used ".bigcorp",
and if they were to succeed in getting ".bigcorp" (indeed, this could be
the sole reason they forked out $300K to get it, to avoid the 2015
internal-certocalypse), then we would not want every certificate they
are using internally, which may number in the thousands, to have to be
revoked and reissued (potentially, bit-for-bit identically).





I do view such revocations as desirable, or at least requiring further clarification within the BRs if we're not going to require it.


In particular, I'm concerned for the situation of CAs that have issued "purely internal" certificates so BigCorp, which may not be BR compliant, on the liberal interpretation that the Scope (Section 1 of BRs 1.1.6) only apply to "[...] Certificates intended to be used for authenticating servers accessible through the Internet." It's clear that the some CAs view a class of issuance as "exempt" from the BRs, as we've seen within the discussions of certain payment providers/POS systems.


I don't think it's sufficient to state something like "Everything else in the cert is BR compliant", since there's a number of other time-gated ("at time of issuance") aspects of the BRs - such as Section 7.1.2.


A clarification that might avoid revocation:

"Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the CA can demonstrate the certificate is compliant with all requirements of this document if it was treated that the certificate issuance date was on or after such contract publication."


Of course, this opens up a new issue - namely, that if the BRs have tightened since the (intranet) certificate was issued, such a certificate may no longer be compliant. Word smithing welcome.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140206/c72b4ed7/attachment-0003.html>

More information about the Public mailing list