[cabfpub] Use of wildcard certificates by cloud operators

Rich Smith richard.smith at comodo.com
Fri May 23 07:25:53 MST 2014 

Kelvin,
Thanks, this looks good to me.  I'll endorse.
Regards,
Rich

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Kelvin Yiu
> Sent: Thursday, May 22, 2014 8:09 PM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators
> 
> Here is my first stab at the changes. The redline version is attached.
> 
> Change the first 2 paragraphs in section 11.1.3 to:
> 
> Before issuing a certificate with a wildcard character (*) in a CN or
> subjectAltName of type DNS-ID, the CA MUST establish and follow a
> documented procedure† that determines if the wildcard character occurs
> in the first label position to the left of a public “registry-
> controlled” label (e.g. “*.com”, “*.co.uk”). CAs may consult with
> “public suffix lists” to identify public “registry-controlled” domains.
> See RFC 6454 Section 8.2 for further explanation).
> 
> If a wildcard would fall within the label immediately to the left of a
> public “registry-controlled” domain†, CAs MUST refuse issuance unless
> the applicant proves its rightful control of the entire Domain
> Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.com”, but MAY issue
> “*.example.com” to Example Co.). Domains registered to cloud service
> providers or Internet hosting service providers are not considered to
> be public if the provider maintains reasonable controls to monitor its
> Domain Namespace for fraudulent activities and remove any fraudulent
> Subdomains.
> 
> Change #7 of section 13.1.5 to:
> 
> 7. The CA is made aware that a Wildcard Certificate has been used to
> authenticate a fraudulently misleading subordinate Fully-Qualified
> Domain Name;, except when the Subscriber is a cloud service provider.
> The CA SHALL revoke a Wildcard Certificate issued to cloud service
> provider within nn days if the cloud service provider do not provide
> evidence of the following:
>     a.    Maintains a process that identifies potentially misleading
> subordinate domain names for additional approval
>     b.    Regularly monitors the Domain Namespace for fraudulent
> activities
>     c.    The fraudulent activities has been removed, or will
> investigate and remove the fraudulent activities within nn hours upon
> notification by the CA
>     d.    Asserts that the Private Key corresponding to the Public Key
> in the Wildcard Certificate has not been compromised
> 
> Thanks,
> 
> Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140523/82a081bd/attachment.bin

More information about the Public mailing list