[cabfpub] Refinement of gTLD requirements
Gervase Markham
gerv at mozilla.org
Fri Feb 7 16:20:02 UTC 2014
On 06/02/14 19:01, Jeremy Rowley wrote:
> Since, as you pointed out, some CAs may consider purely internal server
> certs exempt under the scope section of the BRs, I’m not sure what the
> language change actually accomplishes.
Because once .bigcorp is delegated, the certs are no longer purely
internal server certs, because the domain names in them are
(potentially) Internet-valid.
Ryan's idea is to try and avoid revocation by saying "OK, .bigcorp has
been delegated. If you were to issue a bit-for-bit identical cert today,
would it meet the BRs? If so, you don't need to revoke it. Otherwise,
you do."
That seems like a good fix to me. But I myself don't know how
significant a problem this is in practice. I just remember in discussion
that some CAs were trying to avoid this "revoke everything internal"
scenario, and that's one of the reasons for the 120-day window - so
people can prove ownership of internal certs, and not have them revoked.
But if that's not a concern for anyone, then we should adopt Ryan's
interpretation.
Gerv
More information about the Public
mailing list