[cabfpub] Use of wildcard certificates by cloud operators

Ryan Sleevi sleevi at google.com
Tue May 6 21:22:55 UTC 2014


So it's unambiguous, the specific language from 11.1.3 of BR's 1.1.7 (
https://cabforum.org/wp-content/uploads/BRv1.1.7.pdf ) that I'm referring
to is

"unless the applicant proves its rightful control of the entire Domain
Namespace. (e.g. CAs
MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example.com” to
Example Co.)."

For *.appspot.com, *.azurewebservices.net, or *.nike, if the applicant was
Google, Microsoft, or Nike (respectively), then they could prove rightful
control over the entire Domain Namespace (eg: via WHOIS or the other
methods, as detailed in 11.1.1)


On Tue, May 6, 2014 at 2:10 PM, Kelvin Yiu
<kelviny at exchange.microsoft.com>wrote:

>  Does the forum agree that section 11.1.3 already allows for cloud
> operators and no changes to the text are needed?
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Tuesday, May 6, 2014 1:16 PM
> *To:* Kelvin Yiu
> *Cc:* richard.smith at comodo.com; ben at digicert.com; Gervase Markham;
> public at cabforum.org
>
> *Subject:* Re: [cabfpub] Use of wildcard certificates by cloud operators
>
>
>
>
>
>
>
> On Tue, May 6, 2014 at 12:58 PM, Kelvin Yiu <
> kelviny at exchange.microsoft.com> wrote:
>
> It sounds like we have some consensus to move forward on the issue. I can
> draft a proposal that include the following:
>
> 1. Update Section 11.1.3 to clarify that wildcard is allowed for domains
> for cloud operators. I hear that when the forum last updated section
> 11.1.3, there was a lot of headache involved, so I will try to be precise
> and keep the changes to a minimum.
>
>
>
> This isn't needed. 11.1.3 already allows this.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140506/8c839c86/attachment-0003.html>


More information about the Public mailing list