[cabfpub] Use of wildcard certificates by cloud operators

Ryan Sleevi sleevi at google.com
Sat May 24 18:20:59 UTC 2014


I think that would be a highly unfortunate direction to take from this, and
one that we'd have trouble supporting.


On Fri, May 23, 2014 at 8:22 PM, Richard at WoSign <richard at wosign.com> wrote:

> For Wildcard certificate, I think we must limit to OV SSL only. But I
> found some CA issued wildcard SSL to DV, this is a big problem.
>
>
> Regards,
>
> Richard
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Kelvin Yiu
> Sent: Saturday, May 24, 2014 2:49 AM
> To: Rick Andrews; richard.smith at comodo.com; public at cabforum.org
> Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators
>
> That's correct. The cloud operator would have to meet all 4 requirements.
>
> I would like to know the type of evidence CAs would need for #1 and #2.
>
> Kelvin
>
> -----Original Message-----
> From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
> Sent: Friday, May 23, 2014 11:01 AM
> To: Kelvin Yiu; richard.smith at comodo.com; public at cabforum.org
> Subject: RE: [cabfpub] Use of wildcard certificates by cloud operators
>
> Just to be clear, Kelvin, the CA SHALL revoke the cert if the cloud
> service provider doesn't provide evidence of ALL of the four items you
> listed.
>
> -Rick
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Kelvin Yiu
> Sent: Friday, May 23, 2014 10:03 AM
> To: richard.smith at comodo.com; public at cabforum.org
> Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators
>
> Thanks Rich.
>
> I want to make a change before moving forward with a ballot since I didn't
> specify any time periods in my previous draft. Here is the updated section
> 13.1.5.
>
> 7. The CA is made aware that a Wildcard Certificate has been used to
> authenticate a fraudulently misleading subordinate Fully-Qualified Domain
> Name, except when the Subscriber is a cloud service provider. The CA SHALL
> revoke a Wildcard Certificate issued to cloud service provider within 5
> days if the cloud service provider do not provide evidence of the following:
> 1.      Maintains a process that identifies potentially misleading
> subordinate domain names for additional approval
> 2.      Regularly monitors the Domain Namespace for fraudulent activities
> 3.      The fraudulent activities has been removed, or will investigate
> and remove the fraudulent activities within 24 hours upon notification by
> the CA
> 4.      Asserts that the Private Key corresponding to the Public Key in
> the Wildcard Certificate has not been compromised
>
> Thanks,
>
> Kelvin
>
> -----Original Message-----
> From: Rich Smith [mailto:richard.smith at comodo.com]
> Sent: Friday, May 23, 2014 7:26 AM
> To: Kelvin Yiu; public at cabforum.org
> Subject: RE: [cabfpub] Use of wildcard certificates by cloud operators
>
> Kelvin,
> Thanks, this looks good to me.  I'll endorse.
> Regards,
> Rich
>
> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Kelvin Yiu
> > Sent: Thursday, May 22, 2014 8:09 PM
> > To: public at cabforum.org
> > Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators
> >
> > Here is my first stab at the changes. The redline version is attached.
> >
> > Change the first 2 paragraphs in section 11.1.3 to:
> >
> > Before issuing a certificate with a wildcard character (*) in a CN or
> > subjectAltName of type DNS-ID, the CA MUST establish and follow a
> > documented procedure† that determines if the wildcard character occurs
> > in the first label position to the left of a public “registry-
> > controlled” label (e.g. “*.com”, “*.co.uk”). CAs may consult with
> > “public suffix lists” to identify public “registry-controlled” domains.
> > See RFC 6454 Section 8.2 for further explanation).
> >
> > If a wildcard would fall within the label immediately to the left of a
> > public “registry-controlled” domain†, CAs MUST refuse issuance unless
> > the applicant proves its rightful control of the entire Domain
> > Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.com”, but MAY
> > issue “*.example.com” to Example Co.). Domains registered to cloud
> > service providers or Internet hosting service providers are not
> > considered to be public if the provider maintains reasonable controls
> > to monitor its Domain Namespace for fraudulent activities and remove
> > any fraudulent Subdomains.
> >
> > Change #7 of section 13.1.5 to:
> >
> > 7. The CA is made aware that a Wildcard Certificate has been used to
> > authenticate a fraudulently misleading subordinate Fully-Qualified
> > Domain Name;, except when the Subscriber is a cloud service provider.
> > The CA SHALL revoke a Wildcard Certificate issued to cloud service
> > provider within nn days if the cloud service provider do not provide
> > evidence of the following:
> >     a.    Maintains a process that identifies potentially misleading
> > subordinate domain names for additional approval
> >     b.    Regularly monitors the Domain Namespace for fraudulent
> > activities
> >     c.    The fraudulent activities has been removed, or will
> > investigate and remove the fraudulent activities within nn hours upon
> > notification by the CA
> >     d.    Asserts that the Private Key corresponding to the Public Key
> > in the Wildcard Certificate has not been compromised
> >
> > Thanks,
> >
> > Kelvin
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140524/7db95dae/attachment-0003.html>


More information about the Public mailing list