[cabfpub] Ballot 129 - Update PSL language in BR 11.1.3

Gervase Markham gerv at mozilla.org
Fri Jul 18 10:56:57 UTC 2014


Here's a draft motion on updating and clarifying the BR language
relating to the PSL. I'm looking for comments, and endorsers.

Gerv

----------------------

An explanation in a footnote to section 11.1.3 of the Baseline
Requirements on how to use the Public Suffix List (PSL) is ambiguous
because the PSL has two sections--the "ICANN DOMAINS" section and the
"PRIVATE DOMAINS" section. Therefore, clarification is needed to explain
that it is the ICANN DOMAINS section of the PSL that CAs should use.

Gerv Markham of Mozilla made the following motion, and _ from and from _
have endorsed it.

Motion Begins

1. At the end of the middle sentence in the footnote "†" to section
11.1.3 of the Baseline Requirements INSERT:

"(PSL), and to retrieve a fresh copy regularly. If using the PSL, a CA
SHOULD consult the "ICANN DOMAINS" section only, not the "PRIVATE
DOMAINS" section. The PSL is updated regularly to contain new gTLDs
delegated by ICANN, which are listed in the "ICANN DOMAINS" section. A
CA is not prohibited from issuing a Wildcard Certificate to the
Registrant of an entire gTLD, provided that control of the entire
namespace is demonstrated in an appropriate way"

The resulting note will read as follows:

†Determination of what is “registry-controlled” versus the registerable
portion of a Country Code Top-Level Domain Namespace is not standardized
at the time of writing and is not a property of the DNS itself.

Current best practice is to consult a “public suffix list” such as
http://publicsuffix.org/ (PSL), and to retrieve a fresh copy regularly.
If using the PSL, a CA SHOULD consult the "ICANN DOMAINS" section only,
not the "PRIVATE DOMAINS" section. The PSL is updated regularly to
contain new gTLDs delegated by ICANN, which are listed in the "ICANN
DOMAINS" section. A CA is not prohibited from issuing a Wildcard
Certificate to the Registrant of an entire gTLD, provided that control
of the entire namespace is demonstrated in an appropriate way.

If the process for making this determination is standardized by an RFC,
then such a procedure SHOULD be preferred.

Motion Ends

The review period for this ballot shall commence at 2200 UTC on _ 2014,
and will close at 2200 UTC on _ 2014. Unless the motion is withdrawn
during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on 2014. Votes must be cast by
posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear 'yes' in the
response. A vote against must indicate a clear 'no' in the response. A
vote to abstain must indicate a clear 'abstain' in the response. Unclear
responses will not be counted. The latest vote received from any
representative of a voting member before the close of the voting period
will be counted. Voting members are listed here:
https://cabforum.org/members/

In order for the motion to be adopted, two thirds or more of the votes
cast by members in the CA category and greater than 50% of the votes
cast by members in the browser category must be in favor. Quorum is
currently seven (7) members– at least seven members must participate in
the ballot, either by voting in favor, voting against, or abstaining.



More information about the Public mailing list