[cabfpub] Refinement of gTLD requirements

[Ryan Sleevi]

On Thu, Jan 30, 2014 at 10:50 AM, Rick Andrews <Rick_Andrews at symantec.com>wrote:

>  Section 11.1.4 of the Baseline Requirements says “Within 120 days after
> the publication of a contract for a new gTLD is published on [
> www.icann.org], CAs MUST revoke each Certificate containing a Domain Name
> that includes the new gTLD unless the Subscriber is either the Domain Name
> Registrant or can demonstrate control over the Domain Name.”
>
> We’ve been encountering several problems with this:
>
>    1. The main web page at *www.icann.org* <http://www.icann.org> doesn’t
>    list the publication of new contracts. It contains a link to “See which
>    strings have been delegated”, which takes you to a Delegated Strings page
>    at *http://newgtlds.icann.org/en/program-status/delegated-strings*<http://newgtlds.icann.org/en/program-status/delegated-strings>.
>    That’s not the same as publication of new contracts.
>    2. ICANN has a method for notifying everyone of new contract signings
>    (see *https://mm.icann.org/mailman/listinfo/gtldnotification*<https://mm.icann.org/mailman/listinfo/gtldnotification>),
>    but we’re finding that there is a time lag between the time the contract is
>    signed (and the email is sent) and the time that the domain is delegated
>    from the public DNS root. I checked with Francisco Arias from ICANN, who
>    confirmed that “(delegation) depends in a number of factors and wouldn't
>    happen until, at least, a few weeks after the contract is signed, in the
>    best case scenario.”
>
>
> I believe that CA’s cannot determine if the Subscriber is “either the
> Domain Name Registrant or can demonstrate control over the Domain Name”
> until the domain has been delegated.
>
> Francisco also confirmed that there are a few ways to learn about the
> delegation of a new gTLD:
>
>    1. Checking the page
>    *http://newgtlds.icann.org/en/program-status/delegated-strings*<http://newgtlds.icann.org/en/program-status/delegated-strings>(updated within one day or two after the delegation happens)
>    2. Checking the page
>    *https://data.iana.org/TLD/tlds-alpha-by-domain.txt*<https://data.iana.org/TLD/tlds-alpha-by-domain.txt>(updated automatically by IANA)
>
>
> I’m thinking of creating a ballot to update Section 11.1.4 to say
> something like:
>
> “Within 120 days after the delegation from the public DNS root for a new
> gTLD (as indicated by either one of the two URLs below), CAs MUST revoke
> each Certificate containing a Domain Name that includes the new gTLD unless
> the Subscriber is either the Domain Name Registrant or can demonstrate
> control over the Domain Name.
> *http://newgtlds.icann.org/en/program-status/delegated-strings*<http://newgtlds.icann.org/en/program-status/delegated-strings>
> *https://data.iana.org/TLD/tlds-alpha-by-domain.txt*<https://data.iana.org/TLD/tlds-alpha-by-domain.txt>
> ”
>
> I welcome your comments.
>
> -Rick
>
>

The choice of "contracted" versus "delegated" was intentional, as a way to
mitigate the security risks highlighted by the SSAC.

The choice of 120 days from "contracted" allows registries for sensitive
domains to *not delegate / not allow registrations* until 120 days have
passed, and all "intranet" certificates have been revoked. That is, the
registry can make its own decision to *require* that all intranet
certificates have been revoked before they allow registration. Otherwise,
they run the risk of allowing registrations for domains to third-parties
that may be intercepted by "malicious" parties who previously obtained
intranet certificates.

As such, I would oppose changing the language from contracted to delegated,
as it provides an important security control for registries to make,
independent of CAs, and the change proposed would create an up-to 120-day
window of risk for *all* registries, dependent on CA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140130/7f4d70b0/attachment.html