[cabfpub] Wildcard language in BRs

Rick Andrews Rick_Andrews at symantec.com
Thu Apr 21 23:10:23 UTC 2016


Yes, I think that's much better.

But there's one other section in the BRs that should also be changed (added text between + signs):  Subject Alternative Name Extension:
"This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name +or Wildcard Domain Name, +or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are permitted."

The last sentence implies that Wildcards are a special type of FQDN, so changing it to "Wildcard Domain Names are permitted" would seem to clarify it.


-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Thursday, April 21, 2016 3:17 PM
To: Rick Andrews <Rick_Andrews at symantec.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] Wildcard language in BRs

On Apr 21, 2016, at 1:31 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
> The BRs define Wildcard Certificate:
> "Wildcard Certificate: A Certificate containing an asterisk (*) in the 
> left ‐most position of any of the Subject Fully‐Qualified Domain Names 
> contained in the Certificate."
> Is "left-most position" technically defined? Does that mean the 
> left-most character or left-most label? A name like "ww*.example.com" 
> has an asterisk in the left-most label. So if position=label, that name is permitted.
> This is why we agree with Jeremy that the current language is 
> ambiguous and doesn't clearly exclude wildcards like "ww*.example.com".


In https://cabforum.org/pipermail/public/2016-April/007210.html I proposed new language to replace the ambiguous language.

It would define a new term “Wildcard Domain Name” with the definition of "A Domain Name formed by prepending '*.' to a FQDN” and then use this in the Wildcard Certificate definition: “A Certificate containing a Wildcard Domain Name in any of the Subject Alternative Name dNSNames contained in the Certificate”.

Then in, make it read:

Before issuing a certificate with a Wildcard Domain Name in a CN or subjectAltName of type DNS‐ID, the CA MUST establish and follow a documented procedure† that determines if the FQDN portion of the Wildcard Domain Name is a “registry‐controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation). 
If so, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example” if the .example gTLD includes Specification 13 in its registry agreement). 

Do you agree that this would make the language unambiguous?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160421/5b5fcf04/attachment-0001.p7s>

More information about the Public mailing list