[cabfpub] Use of wildcard certificates by cloud operators

Richard@WoSign richard at wosign.com
Fri May 23 20:22:47 MST 2014


For Wildcard certificate, I think we must limit to OV SSL only. But I found some CA issued wildcard SSL to DV, this is a big problem.


Regards,

Richard

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Kelvin Yiu
Sent: Saturday, May 24, 2014 2:49 AM
To: Rick Andrews; richard.smith at comodo.com; public at cabforum.org
Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators

That's correct. The cloud operator would have to meet all 4 requirements. 

I would like to know the type of evidence CAs would need for #1 and #2.

Kelvin

-----Original Message-----
From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Friday, May 23, 2014 11:01 AM
To: Kelvin Yiu; richard.smith at comodo.com; public at cabforum.org
Subject: RE: [cabfpub] Use of wildcard certificates by cloud operators

Just to be clear, Kelvin, the CA SHALL revoke the cert if the cloud service provider doesn't provide evidence of ALL of the four items you listed.

-Rick

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Kelvin Yiu
Sent: Friday, May 23, 2014 10:03 AM
To: richard.smith at comodo.com; public at cabforum.org
Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators

Thanks Rich.

I want to make a change before moving forward with a ballot since I didn't specify any time periods in my previous draft. Here is the updated section 13.1.5. 

7. The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name, except when the Subscriber is a cloud service provider. The CA SHALL revoke a Wildcard Certificate issued to cloud service provider within 5 days if the cloud service provider do not provide evidence of the following:
1.	Maintains a process that identifies potentially misleading subordinate domain names for additional approval
2.	Regularly monitors the Domain Namespace for fraudulent activities
3.	The fraudulent activities has been removed, or will investigate and remove the fraudulent activities within 24 hours upon notification by the CA
4.	Asserts that the Private Key corresponding to the Public Key in the Wildcard Certificate has not been compromised

Thanks,

Kelvin
 
-----Original Message-----
From: Rich Smith [mailto:richard.smith at comodo.com]
Sent: Friday, May 23, 2014 7:26 AM
To: Kelvin Yiu; public at cabforum.org
Subject: RE: [cabfpub] Use of wildcard certificates by cloud operators

Kelvin,
Thanks, this looks good to me.  I'll endorse.
Regards,
Rich

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Kelvin Yiu
> Sent: Thursday, May 22, 2014 8:09 PM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators
> 
> Here is my first stab at the changes. The redline version is attached.
> 
> Change the first 2 paragraphs in section 11.1.3 to:
> 
> Before issuing a certificate with a wildcard character (*) in a CN or 
> subjectAltName of type DNS-ID, the CA MUST establish and follow a 
> documented procedure† that determines if the wildcard character occurs 
> in the first label position to the left of a public “registry- 
> controlled” label (e.g. “*.com”, “*.co.uk”). CAs may consult with 
> “public suffix lists” to identify public “registry-controlled” domains.
> See RFC 6454 Section 8.2 for further explanation).
> 
> If a wildcard would fall within the label immediately to the left of a 
> public “registry-controlled” domain†, CAs MUST refuse issuance unless 
> the applicant proves its rightful control of the entire Domain 
> Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.com”, but MAY 
> issue “*.example.com” to Example Co.). Domains registered to cloud 
> service providers or Internet hosting service providers are not 
> considered to be public if the provider maintains reasonable controls 
> to monitor its Domain Namespace for fraudulent activities and remove 
> any fraudulent Subdomains.
> 
> Change #7 of section 13.1.5 to:
> 
> 7. The CA is made aware that a Wildcard Certificate has been used to 
> authenticate a fraudulently misleading subordinate Fully-Qualified 
> Domain Name;, except when the Subscriber is a cloud service provider.
> The CA SHALL revoke a Wildcard Certificate issued to cloud service 
> provider within nn days if the cloud service provider do not provide 
> evidence of the following:
>     a.    Maintains a process that identifies potentially misleading
> subordinate domain names for additional approval
>     b.    Regularly monitors the Domain Namespace for fraudulent
> activities
>     c.    The fraudulent activities has been removed, or will
> investigate and remove the fraudulent activities within nn hours upon 
> notification by the CA
>     d.    Asserts that the Private Key corresponding to the Public Key
> in the Wildcard Certificate has not been compromised
> 
> Thanks,
> 
> Kelvin
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6128 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140524/dd13fdf0/attachment.bin 


More information about the Public mailing list