[cabfpub] FW: BR – Contradiction on gTLDs

Ryan Sleevi sleevi at google.com
Tue May 24 03:08:14 MST 2016 

Yes, this is just one of the 'legacy leftovers' that could be cleaned up in
a subsequent ballot. CAs MUST NOT issue certificates for Internal Names now.

On Tue, May 24, 2016 at 2:52 AM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> Forum-Please review this question.
>
>
> Dean
>
>
>
> *From:* Adam, Daniel (US - San Francisco)
> *Sent:* Friday, May 20, 2016 3:59 AM
> *To:* Sheehy, Don
> *Subject:* Can you send this to the CA/B Forum public list?
>
>
>
> Subject: BR – Contradiction on gTLDs
>
>
>
> Baseline Requirements 1.3.4 defines an ‘Internal Name’ as: *A string of
> characters (not an IP address) in a Common Name or Subject Alternative Name
> field of a Certificate that cannot be verified as globally unique within
> the public DNS at the time of certificate issuance because it does not end
> with a Top Level Domain registered in IANA’s Root Zone Database.*
>
>
>
> Section 4.2.2 states that CAs SHOULD NOT issue certificates containing new
> gTLDs under consideration by ICANN and warn the applicant of this etc..
> This suggests that, although not recommended, it is still permissible for
> CAs to issue these type of certificates. However, this appears to be
> contradicted in Section 7.1.4.2.1 which states that CAs SHALL NOT issue
> certificates containing an Internal Name that expire later than 1 November
> 2015. Since we are well past that date, this is interpreted as CAs SHALL
> NOT issue any more certificates containing Internal Names, which includes
> any gTLDs that are under consideration by ICANN as those are publically
> unresolvable (and by definition, an ‘Internal Name’) until the day they are
> included in the IANA Root Zone.
>
>
>
> Therefore, isn’t this criterion in 4.2.2 redundant as these certificates
> are not supposed to be issued anymore?
>
>
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160524/9ee8811f/attachment.html

More information about the Public mailing list