[cabfpub] Use of wildcard certificates by cloud operators

Kelvin Yiu kelviny at exchange.microsoft.com
Mon May 5 10:10:33 MST 2014

This Netcraft post (http://news.netcraft.com/archives/2014/04/28/phishers-find-microsoft-azure-30-day-trial-irresistible.html) has highlighted some questions for us about wildcard certificate requirements in the BR and how they apply to cloud operators.

Microsoft Azure customers can create sub domain names under specific MS registered domains (e.g. myservice.azurewebsites.net). Users can access these FQDNs using HTTPS, which is is secured with a wildcard certificate managed by Azure. Customers do not have access to the private key of the wildcard certificate. Azure also maintains a process to monitor for fraudulent activities and will take down such sites. AFAIK, other cloud operators such as Google App Engine and Amazon Web Services uses wildcard certificates in a similar way.

Here are my questions to the forum:

1.       Section 11.1.3 of the BR explicitly disallow wildcard certificates for registry controlled domains (e.g. *.com). The Mozilla maintained http://publicsuffix.org is cited as an example of a public suffix list where Azure, GAE, and AWS domains can be found. Does the current usage of wildcard certificates by cloud operators violate the BR? If so, is this intentional and what is the reason?

2.       Section 13.1.5 of the BR explicitly require wildcard certificates that were "used to authenticate fraudulently misleading subordinate FQDN" to be revoked within 24 hours. If the fraudulent sites never had access to the private key of the wildcard certificate and the cloud operator has a process to take down fraudulent sites, should these wildcard certificates be required to be revoked?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140505/fd126cfd/attachment.html 

More information about the Public mailing list