[cabfpub] Misissuance of certificates

Doug Beattie doug.beattie at globalsign.com
Wed Nov 11 12:31:27 UTC 2015

Yes, I agree with Robin.  There is no requirement to make every publically trusted certificate available on the internet.  The intent of this was to require subscribers to use this certificate only for those FQDNs which are in the SAN and they must not use it on other web servers (presumably to support some sort of attack).  If this was truly a requirement then every cert with internal server names would have broken this rule since they are normally not publically visible.




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Robin Alden
Sent: Wednesday, November 11, 2015 5:11 AM
To: 'Geoff Keating' <geoffk at apple.com>; 'Peter Bowen' <pzbowen at gmail.com>
Cc: 'Dean Coclin' <Dean_Coclin at symantec.com>; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates


I’m afraid it goes too far to imply that there is a requirement for the subscriber to put their certificate on the public internet.

There is no such requirement.

9.6.3 does not require it.

9.6.3 requires that the server is “accessible at the subjectAltName(s) listed in the Certificate”.  If that is on the subscriber’s private network then that’s fine.

While internal names are permitted in certificates it would have been futile to require them to resolve on the public internet.

For FQDNs we only require that the applicant demonstrates that they are the registrant or have ownership or control of the “Authorization Domain” (to borrow a defined term from the upcoming Domain Validation ballot).  We do not require a demonstration of control or even a test for presence of the FQDN on the internet.


I don’t recall how came to be written, but it seems to me to be a requirement on subscribers to use server certificates on servers where they are obviously usable.

If a subscriber is deploying a certificate onto a server where it is not obviously usable then either they are up to no good with it or they are too dumb or too clever to have nice things and it should be taken away from them.  I could see an argument for being too overbearing and I would not mourn its loss, but its presence or absence does not forbid the use of certificates on private networks.





From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating
Sent: 11 November 2015 07:00
To: Ryan Sleevi
Cc: Dean Coclin; public at cabforum.org <mailto:public at cabforum.org> 
Subject: Re: [cabfpub] Misissuance of certificates



On 10 Nov 2015, at 8:27 PM, Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote (for Peter Bowen):


the subscriber have "[a]n obligation and warranty to install the
Certificate only on servers that are accessible at the
subjectAltName(s) listed in the Certificate".  If the subscriber has


The key word here is ‘only’.  Honored more in the breach, alas.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151111/1aaef36d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151111/1aaef36d/attachment-0001.p7s>

More information about the Public mailing list