[cabfpub] [SPAM]Re: Wildcard language in BRs
Rich Smith
richard.smith at comodo.com
Fri Apr 22 05:57:17 MST 2016
Peter,
To be thorough, we also need to address section 7.1.4.2.1 which says:
Wildcard FQDNs are permitted.
I suggest:
Modify your proposal of the definition replacing Wildcard Domain Name
with Wildcard FQDN.
Given the propensity to stretch the wording I also think your definition
isn't quite strong enough, so I suggest making it extremely explicit,
modifying to say:
Wildcard FQDN: A Domain Name formed by prepending '*.' to a FQDN
containing NO OTHER wildcard characters within it. The wildcard
character '*' MUST ONLY be used in the left most character position in
the FQDN, AND MUST be immediately followed by the '.' character, thus
the wildcard character forms the entirety of the left most label of the
FQDN.
Overkill, but unfortunately it's been clearly demonstrated that overkill
is necessary.
I also think we should make the wording in 7.1.4.2.1 a bit stronger and
more clear so no one can lawyer their way out of it in the future. Suggest:
Replace:
Wildcard FQDNs are permitted.
With:
If the wildcard character (*) is used in a Subject Alternative Name it
MUST conform with the definition of a Wildcard FQDN in these Requirements.
With the above changes, and assuming everyone agrees that at this point
no one could possibly claim, legitimately or otherwise, this allows
anything other than *.foobar.com or *.foo.bar.com, you have my endorsement.
Regards,
Rich
P.S.
Hmmm...since we're apparently debating what 'is' is, it may also be
necessary to define Wildcard Character: '*' contained in a FQDN
On 4/21/2016 5:17 PM, Peter Bowen wrote:
> On Apr 21, 2016, at 1:31 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
>> The BRs define Wildcard Certificate:
>> "Wildcard Certificate: A Certificate containing an asterisk (*) in the left
>> ‐most position of any of the Subject Fully‐Qualified Domain Names
>> contained in the Certificate."
>>
>> Is "left-most position" technically defined? Does that mean the left-most
>> character or left-most label? A name like "ww*.example.com" has an asterisk
>> in the left-most label. So if position=label, that name is permitted.
>>
>> This is why we agree with Jeremy that the current language is ambiguous and
>> doesn't clearly exclude wildcards like "ww*.example.com".
> Rick,
>
> In https://cabforum.org/pipermail/public/2016-April/007210.html I proposed new language to replace the ambiguous language.
>
> It would define a new term “Wildcard Domain Name” with the definition of "A Domain Name formed by prepending '*.' to a FQDN” and then use this in the Wildcard Certificate definition: “A Certificate containing a Wildcard Domain Name in any of the Subject Alternative Name dNSNames contained in the Certificate”.
>
> Then in 3.2.2.6, make it read:
>
> Before issuing a certificate with a Wildcard Domain Name in a CN or subjectAltName of type DNS‐ID, the CA MUST establish and follow a documented procedure† that determines if the FQDN portion of the Wildcard Domain Name is a “registry‐controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
> If so, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example” if the .example gTLD includes Specification 13 in its registry agreement).
>
> Do you agree that this would make the language unambiguous?
>
> Thanks,
> Peter
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4035 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20160422/7ae6b783/attachment.bin
More information about the Public
mailing list