[cabfpub] [cabfquest] New gTLD Issue

Ryan Sleevi sleevi at google.com
Wed Jan 15 14:50:20 MST 2014


On Wed, Jan 15, 2014 at 1:49 PM, Ryan Sleevi <sleevi at google.com> wrote:

>
>
>
> On Wed, Jan 15, 2014 at 10:37 AM, Bruce Morton <bruce.morton at entrust.com>wrote:
>
>>  Ryan,
>>
>>
>>
>> I hear your objection, but here is an example of what is happening:
>>
>>
>>
>> A company like Honda gets a publicly trusted SSL certificate which
>> includes the SAN for honda.tokyo. ICANN approved .tokyo as a new gTLD.
>> Honda has a legitimate certificate, but they just need to register
>> honda.tokyo. The problem is the registry is not available within 120 days.
>> Is it legitimate that the CA must revoke the certificate, Honda must find a
>> new solution, then when the registry is available that Honda must then
>> reverse the situation?
>>
>>
>>
>> The 30 day issue is just a number and can be debated. With the current
>> policy the registry could be available in 60 days, but there are 120 days
>> until the certificate must be revoked, so an attack problem already exists.
>>
>>
>>
>> Thanks again for your review, Bruce.
>>
>
> Hi Bruce,
>
> So, there's a couple problems in this scenario.
>
> 1) Honda should not hav egotten a publicly trusted certificate which
> includes a SAN for honda.tokyo.
>
> We've agreed this is a problematic process, and in a user agent like
> Chrome, will be outright rejected as such. While it's extremely unfortunate
> that they were able to get such a cert in the first place, I see it as a
> "bug", not a "feature".
>
> 2) Yes. Honda, nor any company for that matter, should be able to obtain
> honda.tokyo until they can demonstrate ownership.
>
> The revocation requirement exists because there are too many nuances here,
> and even more unfortunately, too many internal server names that have been
> issued.
>
> 3) ICANN's advice to new registrants has been precipitated based on the
> CA/B Forum's requirements. In particular, registries that allow
> registration in 30 days - or 60 days - is making unfortunate security
> decisions that unquestionably put their customers/registrants at risk.
>
> This is why, for example, ICANN / the SSAC canvassed CAs to try to
> understand the risks, as well as help inform new applicants the risks based
> on different timing.
>
> Much like Chrome does not respect internal server names from publicly
> trusted CAs, we'd strongly oppose any measures that seek to loosen the
> current requirements for revocation. Ideally, we'd love to see the practice
> ceased altogether.
>
> Best regards,
> Ryan
>
>

Reposting to cabfpub as well, per earlier.


>
>>
>> *From:* Ryan Sleevi [mailto:sleevi at google.com]
>> *Sent:* Thursday, January 09, 2014 1:27 PM
>> *To:* Bruce Morton
>> *Cc:* questions at cabforum.org; CABFPub
>>
>> *Subject:* Re: [cabfquest] New gTLD Issue
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jan 9, 2014 at 8:58 AM, Bruce Morton <bruce.morton at entrust.com>
>> wrote:
>>
>> I’m not sure if this has been discussed, but I see a problem with moving
>> to new gTLDs.
>>
>>
>>
>> BR 11.1.4 states “Within 120 days after the publication of a contract for
>> a new gTLD is published on [www.icann.org], CAs MUST revoke each
>> Certificate containing a Domain Name that includes the new gTLD unless the
>> Subscriber is either the Domain Name Registrant or can demonstrate control
>> over the Domain Name.”
>>
>>
>>
>> The solution is to advise the customer to register the domain and if they
>> cannot, then the certificate would be revoked. This does assume that a
>> registry is available. The problem is that there is no guarantee that the
>> registry will be available within 120 days.
>>
>>
>>
>> In many cases the Subscriber will be eligible to register the domain. If
>> there is no registry, then there is no conflict with anyone else
>> registering the same domain name. As such there is no increased risk.
>>
>>
>>
>> The goal is, of course, to phase these names out entirely, and the plan
>> described is a temporary plan until 1 November 2015 comes in to play and no
>> new private registrations are allowed. Some browsers (eg: Chrome) have gone
>> ahead and already disallowed publicly trusted CAs (eg: those in the known
>> root stores) from issuing against non-IANA assigned TLDs.
>>
>>
>>
>>
>>
>> I’m trying to figure out the wording for the standard, but if there is no
>> registry available after 120 days, then the certificate SHOULD NOT be
>> revoked. The Subscriber should be given 30 days from when the registry is
>> available to get the domain deployed. The problem is there is no notice
>> when a registry is available, so as a service, the CA could check for the
>> registry on a regular basis and advise the Subscriber when the registry is
>> available.
>>
>>
>>
>> The goal of the wording was to prevent a situation where the current
>> subscriber is unable to register the name, and some other party -
>> presumably with an as-legitimate-or-more-legitimate claim to the name - is
>> able to register. By allowing 30 days from when the registry is available,
>> this creates an opportunity for the subscriber to 'mount an attack' for up
>> to 30 days before the CA performs the registration-or-revoke check.
>>
>>
>>
>> As I read it, the language here provides for subscribers who are also
>> applying for registries, since even after gTLD approval, there is still the
>> execution of the registry agreement and pre-delegation testing.
>>
>>
>>
>> Speaking on the browser side, we'd strongly oppose any proposals or
>> interpretations that encourage the continued use of these certificates. The
>> choice of 120 days was a compromise from the initial proposal of
>> "immediate". The goal of 120 days is not to give a window of continued
>> acceptable operation - it's to provide a maximum upper-bound of time needed
>> for the subscriber to transition away from the name. The only equitable AND
>> enforceable balance is one that's applied consistently.
>>
>>
>>
>>
>>
>> It should also be determined how this would be integrated with BR 9.2.1
>> which states that certificates without registered domains must not be
>> issued after 1 November 2015 and must be revoked by 1 October 2016. If the
>> gTLD has been approved, but there is no registry, then we should consider
>> not taking this action until a registry is available.
>>
>>
>>
>> Respectfully, I would have to disagree. These names should not have been
>> issued to begin with, since it undermines the security of SSL for all users
>> who might use those names, and assurances that customers are "OV validated"
>> does little to provide any sort of programmatic guarantees.
>>
>>
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bruce Morton
>>
>> Entrust Certificate Services
>>
>> +1 613.270.3743
>>
>> ECS Blog <http://www.entrust.com/author/bruce-morton/>
>>
>>
>>
>>
>> _______________________________________________
>> Questions mailing list
>> Questions at cabforum.org
>> https://cabforum.org/mailman/listinfo/questions
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140115/282505ff/attachment.html 


More information about the Public mailing list