[Servercert-wg] www and non-www (possibly an old issue)

Mon Jan 28 10:01:14 MST 2019

I'm unaware of any technical necessity in any product released in the past
20 years; that is, any certificate that would fail to validate if it only
had one.

However, there's reasons why CAs or users might, including to allow both
the naked domain and www domain work, particularly for sites that want to
support redirects (e.g. redirecting http[s]://example.com to
https://www.example.com). And there's plenty of market reasons why CAs
might want to advertise getting an extra domain "for free" ("We'll even
throw in the www!"), but those aren't technical reasons.

On Mon, Jan 28, 2019 at 11:55 AM Kirk Hall via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Looks like I posted to the list.
>
>
>
> Does anyone else remember why CAs always included both www and the “naked”
> domain in certs a decade ago?
>
>
>
> *From:* Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] *On
> Behalf Of *Kirk Hall via Servercert-wg
> *Sent:* Monday, January 28, 2019 8:44 AM
> *To:* Adriano Santoni <adriano.santoni at staff.aruba.it>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL]Re: [Servercert-wg] www and non-www (possibly an old
> issue)
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> ------------------------------
>
> Adriano – to you alone.  I have a dim recollection that at one time it was
> technically necessary to put both the www.domain and *domain* in a cert
> because of some issue with (early) Microsoft IE…  But I could be wrong
> about that.  Or maybe it was just advisable because of how the internet
> treated a “naked” domain in early years.
>
>
>
> *From:* Servercert-wg [mailto:servercert-wg-bounces at cabforum.org
> <servercert-wg-bounces at cabforum.org>] *On Behalf Of *Adriano Santoni via
> Servercert-wg
> *Sent:* Monday, January 28, 2019 7:04 AM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL]Re: [Servercert-wg] www and non-www (possibly an old
> issue)
>
>
>
> Good, and I agree that this is the only possible rationale.
>
> Thanks to you and Doug.
>
>
>
> Il 28/01/2019 15:31, Ryan Sleevi ha scritto:
>
>
>
>
>
> On Mon, Jan 28, 2019 at 3:58 AM Adriano Santoni via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> My question stems from the fact than many CAs automatically include the
> naked <domain> in the SAN upon issuing a certificate that was requested for
> "www.<domain> <http://www.%3cdomain%3e>" (and the opposite as well), on
> the grounds of the assumption that whoever controls "www" also controls the
> naked <domain>. Now, although most of the times that above assumption is
> true _de facto_, I would like to understand whether there exists an
> applicable standard (e.g. an RFC) or a sound technical reasoning, already
> put down in writing somewhere, supporting that assumption a priori and in
> general.
>
>
>
> There is none.
>
>
>
> As Doug said, a CA MUST be validating every domain they place in a
> certificate.
>
>
>
> It MAY be that the CA is validating the naked domain as an ADN, and then
> including both the naked domain and the www prefixed domain as FQDNs that
> are validated using the ADN, but in that case, both are validated. Note
> that the converse does not apply - you cannot use the www-prefixed FQDN as
> an ADN for the naked FQDN.
>
>
>
> There is no reason to assume the two domains - www and naked - are shared
> by the same entity. CAs should only include FQDNs that are requested.
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/ea8a8527/attachment.html>