[cabfpub] Domain validation

Anoosh Saboori ansaboor at microsoft.com
Thu May 7 13:30:01 UTC 2015

In this case, customer owns example.com and not example.clouapp.net. As I mentioned earlier, Azure owns the name and is not delegated to the tenant. I was hoping to join the call today, but it conflicts with another meeting that showed up last minute. I will continue using email.

Sent from my Windows Phone
From: Gervase Markham<mailto:gerv at mozilla.org>
Sent: ‎5/‎7/‎2015 4:03 AM
To: Anoosh Saboori<mailto:ansaboor at microsoft.com>; Ryan Sleevi<mailto:sleevi at google.com>
Cc: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Domain validation

On 07/05/15 00:46, Anoosh Saboori wrote:
> What you stated below partly is the main reason for us not supporting #6
> . Another example is Azure tenant who is assigned “example.clouapp.net”.
> While the tenant can pass the test in #6  by inserting nonce in
> “example.cloudapp.net/.well-known/certificate”, they are not the real
> owner for that domain name, Azure is.

This issue is not specific to cloudapp.net, of course. The meta-issue
is: if a 2LD owner delegates control of 3LDs to various 3rd parties, is
it OK for those 3rd parties to get an SSL certificate for that subdomain?

I'd say that it is. That's what delegation means. They shouldn't be able
to get a cert for the 2LD of course, but the rules don't let them do that.

Anoosh: what bad thing can happen if the person to whom Microsoft has
allocated example.cloudapp.net gets a certificate for example.cloudapp.net?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150507/b57714ee/attachment-0003.html>

More information about the Public mailing list