[cabfpub] [SPAM]Re: Wildcard language in BRs

Brown, Wendy (10421) wendy.brown at protiviti.com
Fri Apr 22 17:23:35 UTC 2016


Just a question - but why the restriction that a wildcard has to be the full label of that leftmost component of the FQDN?

It seems to me if someone legitimately obtaining a wildcard certificate wanted to restrict it even further like "app*.serverfarm.companyx.com" instead of "*.serverfarm.companyx.com"
And you were able to do the correct validation that the requestor has control over "serverfarm.companyx.com"  That would be a legitimate request.

Why is this considered less secure than the unrestricted wildcard in the left most label?

Thanks,
    wendy

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Friday, April 22, 2016 12:43 PM
To: Rich Smith <richard.smith at comodo.com>; public at cabforum.org
Subject: Re: [cabfpub] [SPAM]Re: Wildcard language in BRs

I agree with Rich that the wording needs to be clear. However, I don't think we should add restrictions in the definitions section. Adding a restriction to a definition is odd.

Here's what I think we should do:

1) Add a definition of Wildcard FQDN:
Wildcard FQDN: A domain name containing a wildcard character.

2) Delete the following sentence from 7.1.4.2.1 (because it doesn't apply to common names):
" Wildcard FQDNs are permitted."

3) Clarify Section 3.2.2.6 as follows:
CAs MAY issue a certificate for a Wildcard FQDN provided:
        1) The Wildcard FQDN contains only one wildcard character, which wildcard character MUST be an asterisk (*);
        2) The wildcard character MUST be in the left-most label of the FQDN and comprise the entirety of the left-most label of the FQDN; and
        3) The  wildcard character does not occurs in the first label position to the left of a “registry‐controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation) † unless the applicant proves it rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example.com” to Example Co.).

† Determination of what is “registry‐controlled” versus the registerable portion of a Country Code Top‐Level Domain Namespace is not standardized at the time of writing and is not a property of the DNS itself. Current best practice is to consult a “public suffix list” such as http://publicsuffix.org/ (PSL), and to retrieve a fresh copy regularly. If using the PSL, a CA SHOULD consult the "ICANN DOMAINS" section only, not the "PRIVATE DOMAINS" section. The PSL is updated regularly to contain new gTLDs delegated by ICANN, which are listed in the "ICANN DOMAINS" section. A CA is not prohibited   from issuing a Wildcard Certificate to the Registrant of an entire gTLD, provided that control of the entire namespace is demonstrated in an appropriate way.

Jeremy

On 4/21/2016 5:17 PM, Peter Bowen wrote:
> On Apr 21, 2016, at 1:31 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
>> The BRs define Wildcard Certificate:
>> "Wildcard Certificate: A Certificate containing an asterisk (*) in
>> the left ‐most position of any of the Subject Fully‐Qualified Domain
>> Names contained in the Certificate."
>>
>> Is "left-most position" technically defined? Does that mean the
>> left-most character or left-most label? A name like "ww*.example.com"
>> has an asterisk in the left-most label. So if position=label, that name is permitted.
>>
>> This is why we agree with Jeremy that the current language is
>> ambiguous and doesn't clearly exclude wildcards like "ww*.example.com".
> Rick,
>
> In https://cabforum.org/pipermail/public/2016-April/007210.html I proposed new language to replace the ambiguous language.
>
> It would define a new term “Wildcard Domain Name” with the definition of "A Domain Name formed by prepending '*.' to a FQDN” and then use this in the Wildcard Certificate definition: “A Certificate containing a Wildcard Domain Name in any of the Subject Alternative Name dNSNames contained in the Certificate”.
>
> Then in 3.2.2.6, make it read:
>
> Before issuing a certificate with a Wildcard Domain Name in a CN or subjectAltName of type DNS‐ID, the CA MUST establish and follow a documented procedure† that determines if the FQDN portion of the Wildcard Domain Name is a “registry‐controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
> If so, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example” if the .example gTLD includes Specification 13 in its registry agreement).
>
> Do you agree that this would make the language unambiguous?
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Friday, April 22, 2016 6:57 AM
To: public at cabforum.org
Subject: Re: [cabfpub] [SPAM]Re: Wildcard language in BRs

Peter,
To be thorough, we also need to address section 7.1.4.2.1 which says:
Wildcard FQDNs are permitted.

I suggest:
Modify your proposal of the definition replacing Wildcard Domain Name with Wildcard FQDN.

Given the propensity to stretch the wording I also think your definition isn't quite strong enough, so I suggest making it extremely explicit, modifying to say:
Wildcard FQDN: A Domain Name formed by prepending '*.' to a FQDN containing NO OTHER wildcard characters within it.  The wildcard character '*' MUST ONLY be used in the left most character position in the FQDN, AND MUST be immediately followed by the '.' character, thus the wildcard character forms the entirety of the left most label of the FQDN.

Overkill, but unfortunately it's been clearly demonstrated that overkill is necessary.

I also think we should make the wording in 7.1.4.2.1 a bit stronger and more clear so no one can lawyer their way out of it in the future.  Suggest:

Replace:
Wildcard FQDNs are permitted.
With:
If the wildcard character (*) is used in a Subject Alternative Name it MUST conform with the definition of a Wildcard FQDN in these Requirements.

With the above changes, and assuming everyone agrees that at this point no one could possibly claim, legitimately or otherwise, this allows anything other than *.foobar.com or *.foo.bar.com, you have my endorsement.

Regards,
Rich

P.S.
Hmmm...since we're apparently debating what 'is' is, it may also be necessary to define Wildcard Character: '*' contained in a FQDN

On 4/21/2016 5:17 PM, Peter Bowen wrote:
> On Apr 21, 2016, at 1:31 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
>> The BRs define Wildcard Certificate:
>> "Wildcard Certificate: A Certificate containing an asterisk (*) in
>> the left ‐most position of any of the Subject Fully‐Qualified Domain
>> Names contained in the Certificate."
>>
>> Is "left-most position" technically defined? Does that mean the
>> left-most character or left-most label? A name like "ww*.example.com"
>> has an asterisk in the left-most label. So if position=label, that name is permitted.
>>
>> This is why we agree with Jeremy that the current language is
>> ambiguous and doesn't clearly exclude wildcards like "ww*.example.com".
> Rick,
>
> In https://cabforum.org/pipermail/public/2016-April/007210.html I proposed new language to replace the ambiguous language.
>
> It would define a new term “Wildcard Domain Name” with the definition of "A Domain Name formed by prepending '*.' to a FQDN” and then use this in the Wildcard Certificate definition: “A Certificate containing a Wildcard Domain Name in any of the Subject Alternative Name dNSNames contained in the Certificate”.
>
> Then in 3.2.2.6, make it read:
>
> Before issuing a certificate with a Wildcard Domain Name in a CN or subjectAltName of type DNS‐ID, the CA MUST establish and follow a documented procedure† that determines if the FQDN portion of the Wildcard Domain Name is a “registry‐controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
> If so, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example” if the .example gTLD includes Specification 13 in its registry agreement).
>
> Do you agree that this would make the language unambiguous?
>
> Thanks,
> Peter
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public


NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.


More information about the Public mailing list