[cabfpub] FW: BR – Contradiction on gTLDs

Richard Barnes rbarnes at mozilla.com
Tue May 24 05:59:16 MST 2016 

+1

On Tue, May 24, 2016 at 6:08 AM, Ryan Sleevi <sleevi at google.com> wrote:

> Yes, this is just one of the 'legacy leftovers' that could be cleaned up
> in a subsequent ballot. CAs MUST NOT issue certificates for Internal Names
> now.
>
> On Tue, May 24, 2016 at 2:52 AM, Dean Coclin <Dean_Coclin at symantec.com>
> wrote:
>
>> Forum-Please review this question.
>>
>>
>> Dean
>>
>>
>>
>> *From:* Adam, Daniel (US - San Francisco)
>> *Sent:* Friday, May 20, 2016 3:59 AM
>> *To:* Sheehy, Don
>> *Subject:* Can you send this to the CA/B Forum public list?
>>
>>
>>
>> Subject: BR – Contradiction on gTLDs
>>
>>
>>
>> Baseline Requirements 1.3.4 defines an ‘Internal Name’ as: *A string of
>> characters (not an IP address) in a Common Name or Subject Alternative Name
>> field of a Certificate that cannot be verified as globally unique within
>> the public DNS at the time of certificate issuance because it does not end
>> with a Top Level Domain registered in IANA’s Root Zone Database.*
>>
>>
>>
>> Section 4.2.2 states that CAs SHOULD NOT issue certificates containing
>> new gTLDs under consideration by ICANN and warn the applicant of this etc..
>> This suggests that, although not recommended, it is still permissible for
>> CAs to issue these type of certificates. However, this appears to be
>> contradicted in Section 7.1.4.2.1 which states that CAs SHALL NOT issue
>> certificates containing an Internal Name that expire later than 1 November
>> 2015. Since we are well past that date, this is interpreted as CAs SHALL
>> NOT issue any more certificates containing Internal Names, which includes
>> any gTLDs that are under consideration by ICANN as those are publically
>> unresolvable (and by definition, an ‘Internal Name’) until the day they are
>> included in the IANA Root Zone.
>>
>>
>>
>> Therefore, isn’t this criterion in 4.2.2 redundant as these certificates
>> are not supposed to be issued anymore?
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160524/3da3abbe/attachment-0001.html

More information about the Public mailing list