[cabfpub] Domain validation

Gervase Markham gerv at mozilla.org
Thu May 7 11:03:05 UTC 2015

On 07/05/15 00:46, Anoosh Saboori wrote:
> What you stated below partly is the main reason for us not supporting #6
> . Another example is Azure tenant who is assigned “example.clouapp.net”.
> While the tenant can pass the test in #6  by inserting nonce in
> “example.cloudapp.net/.well-known/certificate”, they are not the real
> owner for that domain name, Azure is.

This issue is not specific to cloudapp.net, of course. The meta-issue
is: if a 2LD owner delegates control of 3LDs to various 3rd parties, is
it OK for those 3rd parties to get an SSL certificate for that subdomain?

I'd say that it is. That's what delegation means. They shouldn't be able
to get a cert for the 2LD of course, but the rules don't let them do that.

Anoosh: what bad thing can happen if the person to whom Microsoft has
allocated example.cloudapp.net gets a certificate for example.cloudapp.net?


More information about the Public mailing list