[cabfpub] Refinement of gTLD requirements

Rick Andrews Rick_Andrews at symantec.com
Thu Feb 6 21:37:27 UTC 2014

My original ask was to clarify the timeline for customers dealing with this. If we changed “120 days from the time the contract was signed” to “60 days from the time the TLD was delegated” or even “30 days from the time the TLD was delegated” that would be a lot more fair, transparent and easy to understand for customers and CAs alike.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, February 06, 2014 10:50 AM
To: Gervase Markham
Cc: Rick Andrews; public at cabforum.org
Subject: Re: [cabfpub] Refinement of gTLD requirements

On Thu, Feb 6, 2014 at 5:46 AM, Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>> wrote:
On 31/01/14 21:55, Ryan Sleevi wrote:
> I would expect you to at least be re-issuing the certificate, since the
> original certificate's domain validation procedures clearly failed the
> requirements of 11.1.1 with respect to the "new" gTLD, and I would still
> expect the previous certificate to be revoked.

Are you sure about this? My understanding was that we were attempting to
create a safe overlap so that such certificates would not all need to be

As an example, if BigCorp had an internal network which used ".bigcorp",
and if they were to succeed in getting ".bigcorp" (indeed, this could be
the sole reason they forked out $300K to get it, to avoid the 2015
internal-certocalypse), then we would not want every certificate they
are using internally, which may number in the thousands, to have to be
revoked and reissued (potentially, bit-for-bit identically).



I do view such revocations as desirable, or at least requiring further clarification within the BRs if we're not going to require it.

In particular, I'm concerned for the situation of CAs that have issued "purely internal" certificates so BigCorp, which may not be BR compliant, on the liberal interpretation that the Scope (Section 1 of BRs 1.1.6) only apply to "[...] Certificates intended to be used for authenticating servers accessible through the Internet." It's clear that the some CAs view a class of issuance as "exempt" from the BRs, as we've seen within the discussions of certain payment providers/POS systems.

I don't think it's sufficient to state something like "Everything else in the cert is BR compliant", since there's a number of other time-gated ("at time of issuance") aspects of the BRs - such as Section 7.1.2.

A clarification that might avoid revocation:
"Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org<http://www.icann.org>], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the CA can demonstrate the certificate is compliant with all requirements of this document if it was treated that the certificate issuance date was on or after such contract publication."

Of course, this opens up a new issue - namely, that if the BRs have tightened since the (intranet) certificate was issued, such a certificate may no longer be compliant. Word smithing welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140206/83394b55/attachment-0003.html>

More information about the Public mailing list