[Servercert-wg] www and non-www (possibly an old issue)

[Adriano Santoni]

Good, and I agree that this is the only possible rationale.

Thanks to you and Doug.


Il 28/01/2019 15:31, Ryan Sleevi ha scritto:
>
>
> On Mon, Jan 28, 2019 at 3:58 AM Adriano Santoni via Servercert-wg 
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>
>     My question stems from the fact than many CAs automatically
>     include the naked <domain> in the SAN upon issuing a certificate
>     that was requested for "www.<domain>" (and the opposite as well),
>     on the grounds of the assumption that whoever controls "www" also
>     controls the naked <domain>. Now, although most of the times that
>     above assumption is true _de facto_, I would like to understand
>     whether there exists an applicable standard (e.g. an RFC) or a
>     sound technical reasoning, already put down in writing somewhere,
>     supporting that assumption a priori and in general.
>
>
> There is none.
>
> As Doug said, a CA MUST be validating every domain they place in a 
> certificate.
>
> It MAY be that the CA is validating the naked domain as an ADN, and 
> then including both the naked domain and the www prefixed domain as 
> FQDNs that are validated using the ADN, but in that case, both are 
> validated. Note that the converse does not apply - you cannot use the 
> www-prefixed FQDN as an ADN for the naked FQDN.
>
> There is no reason to assume the two domains - www and naked - are 
> shared by the same entity. CAs should only include FQDNs that are 
> requested.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/6365f48b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3849 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/6365f48b/attachment-0001.p7s>