[cabfpub] Use of wildcard certificates by cloud operators

Kelvin Yiu kelviny at exchange.microsoft.com
Thu May 22 17:08:35 MST 2014 

Here is my first stab at the changes. The redline version is attached. 

Change the first 2 paragraphs in section 11.1.3 to:

Before issuing a certificate with a wildcard character (*) in a CN or subjectAltName of type DNS-ID, the CA MUST establish and follow a documented procedure† that determines if the wildcard character occurs in the first label position to the left of a public “registry-controlled” label (e.g. “*.com”, “*.co.uk”). CAs may consult with “public suffix lists” to identify public “registry-controlled” domains. See RFC 6454 Section 8.2 for further explanation).

If a wildcard would fall within the label immediately to the left of a public “registry-controlled” domain†, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.com”, but MAY issue “*.example.com” to Example Co.). Domains registered to cloud service providers or Internet hosting service providers are not considered to be public if the provider maintains reasonable controls to monitor its Domain Namespace for fraudulent activities and remove any fraudulent Subdomains.

Change #7 of section 13.1.5 to:

7. The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;, except when the Subscriber is a cloud service provider. The CA SHALL revoke a Wildcard Certificate issued to cloud service provider within nn days if the cloud service provider do not provide evidence of the following:
    a.    Maintains a process that identifies potentially misleading subordinate domain names for additional approval
    b.    Regularly monitors the Domain Namespace for fraudulent activities
    c.    The fraudulent activities has been removed, or will investigate and remove the fraudulent activities within nn hours upon notification by the CA 
    d.    Asserts that the Private Key corresponding to the Public Key in the Wildcard Certificate has not been compromised

Thanks,

Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CABF SSL BR wildcard proposal v03.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 17492 bytes
Desc: CABF SSL BR wildcard proposal v03.docx
Url : https://cabforum.org/pipermail/public/attachments/20140523/216d59c2/attachment-0001.bin

More information about the Public mailing list