[Servercert-wg] www and non-www (possibly an old issue)

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Jan 28 09:43:53 MST 2019


Adriano – to you alone.  I have a dim recollection that at one time it was technically necessary to put both the www.domain<http://www.domain> and domain in a cert because of some issue with (early) Microsoft IE…  But I could be wrong about that.  Or maybe it was just advisable because of how the internet treated a “naked” domain in early years.

From: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] On Behalf Of Adriano Santoni via Servercert-wg
Sent: Monday, January 28, 2019 7:04 AM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL]Re: [Servercert-wg] www and non-www (possibly an old issue)


Good, and I agree that this is the only possible rationale.

Thanks to you and Doug.


Il 28/01/2019 15:31, Ryan Sleevi ha scritto:


On Mon, Jan 28, 2019 at 3:58 AM Adriano Santoni via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

My question stems from the fact than many CAs automatically include the naked <domain> in the SAN upon issuing a certificate that was requested for "www.<domain><http://www.%3cdomain%3e>" (and the opposite as well), on the grounds of the assumption that whoever controls "www" also controls the naked <domain>. Now, although most of the times that above assumption is true _de facto_, I would like to understand whether there exists an applicable standard (e.g. an RFC) or a sound technical reasoning, already put down in writing somewhere, supporting that assumption a priori and in general.

There is none.

As Doug said, a CA MUST be validating every domain they place in a certificate.

It MAY be that the CA is validating the naked domain as an ADN, and then including both the naked domain and the www prefixed domain as FQDNs that are validated using the ADN, but in that case, both are validated. Note that the converse does not apply - you cannot use the www-prefixed FQDN as an ADN for the naked FQDN.

There is no reason to assume the two domains - www and naked - are shared by the same entity. CAs should only include FQDNs that are requested.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/71eb742c/attachment.html>


More information about the Servercert-wg mailing list