[cabfpub] Refinement of gTLD requirements

Rick Andrews Rick_Andrews at symantec.com
Fri Jan 31 21:59:28 UTC 2014

That’s the first time I’ve heard that interpretation, and I don’t think that is what’s inferred by the BRs: “the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly registers the domain name.”

I’d like to hear how others have interpreted this.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, January 31, 2014 1:56 PM
To: Rick Andrews
Cc: Gervase Markham; public at cabforum.org
Subject: Re: [cabfpub] Refinement of gTLD requirements

On Fri, Jan 31, 2014 at 1:31 PM, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> wrote:
Comments inline.

> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org<mailto:gerv at mozilla.org>]
> Sent: Friday, January 31, 2014 2:12 AM
> To: Rick Andrews; public at cabforum.org<mailto:public at cabforum.org>
> Subject: Re: [cabfpub] Refinement of gTLD requirements
> On 30/01/14 18:50, Rick Andrews wrote:
> > I believe that CA’s cannot determine if the Subscriber is “either the
> > Domain Name Registrant or can demonstrate control over the Domain
> Name”
> > until the domain has been delegated.
> Is the information in the "contract signed" email not sufficient to
> identify the company concerned? If it is, then in order to determine
> that someone is the Domain Name Registrant, you have to ascertain they
> work for that company.
> If it's not, then we should get ICANN to add more info to those emails.
No, it's not a question of who to contact, but rather uncertainty about when the domain will be open for registration, and whether the certificate holder will have time to register the domain and prove ownership to the CA before the deadline passes.

> >  1. Checking the page
> >     _http://newgtlds.icann.org/en/program-status/delegated-strings_
> >     (updated within one day or two after the delegation happens)
> >  2. Checking the page
> >     _https://data.iana.org/TLD/tlds-alpha-by-domain.txt_(updated
> >     automatically by IANA)
> There is also a mailing list, and a spreadsheet auto-populated from the
> mailing list which Mozilla maintains.
> > “Within 120 days after the delegation from the public DNS root for a
> new
> > gTLD
> As Ryan says, the choice of "contracted" was intentional.
I was under the impression that some domains would open for registration and allow the certificate holder to buy the domain. In such cases, the certificate doesn't need to be revoked. We have customers who hope to do that. I'm trying to make that process more clear and straightforward for the certificate holder and the CA.


I would expect you to at least be re-issuing the certificate, since the original certificate's domain validation procedures clearly failed the requirements of 11.1.1 with respect to the "new" gTLD, and I would still expect the previous certificate to be revoked.

The important aspect is that the domain registries should be able to set their policies, and the only way to allow them the flexibility to evaluate the risk to their operations and make a policy decision on how to balance the risk to their potential registrants is by the contracted date.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140131/6017e299/attachment-0003.html>

More information about the Public mailing list