[cabfpub] Preballot - Revised Ballot 190

[Gervase Markham]

On 17/05/17 17:40, Ryan Sleevi via Public wrote:
> As such, it's unclear what the intended outcome of this is. Is it meant
> to be binding on CAs? If so, we should look to be more explicit.

The intent is to be explicit about what is currently implicit; there was
a message to this list a while back saying that all methods except IP
Address were suitable for issuance of wildcards, but that required a
very close reading of the text, and it seemed to make sense to make it
explicit.

So yes, it's intended to be normative.

> It's also unclear whether the 'intent' of the wildcard certificate was
> also to encompass the validation of subdomains, or their use in
> Authorization Domain Names.

At one point in one draft, the phrase covered both.

I can't think of any reason why you would ever want to permit one and
ban the other - can anyone? If not, we should just extend the language
to cover wildcards and subdomains.

> Why is this permitted for wildcard, but IP are not?
> 
> Speaking from a security perspective, it goes
> 3.2.2.4.6 (Website) < 3.2.2.4.10 (Random Value) < 3.2.2.4.9 (Test Cert)
> < 3.2.2.4.8 (IP) < [everything else that follows]
> 
> As such, it would seem that if 3.2.2.4.8 is prohibited from wildcards,
> .6, .9 and .10 should also be prohibited.

I think it was Peter who did the analysis; but again, the aim here is to
make clear existing rules, not to make new rules. If we are failing in
that, we should change it. If you want to change the rules, that would
probably be a separate ballot :-)

Gerv