[Servercert-wg] www and non-www (possibly an old issue)

Ryan Sleevi sleevi at google.com
Mon Jan 28 12:15:55 MST 2019


Do you have any examples you can point to? Rewriting URLs like that
automatically sounds rather surprising, even configured as such. While some
user agents have hot keys that, when pressed, will add things like "www"
and "com", modifying URLs the user has typed in is fairly rare.

On Mon, Jan 28, 2019 at 2:12 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> Many browsers automatically add www to URLs; IIRC the behavior can vary
> based on configuration settings.  That’s why it’s best to support both via
> a redirect; you can’t predict with 100% accuracy which of the two a random
> user will show up at.
>
>
>
> -Tim
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Ryan
> Sleevi via Servercert-wg
> *Sent:* Monday, January 28, 2019 12:01 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] www and non-www (possibly an old issue)
>
>
>
> I'm unaware of any technical necessity in any product released in the past
> 20 years; that is, any certificate that would fail to validate if it only
> had one.
>
>
>
> However, there's reasons why CAs or users might, including to allow both
> the naked domain and www domain work, particularly for sites that want to
> support redirects (e.g. redirecting http[s]://example.com to
> https://www.example.com). And there's plenty of market reasons why CAs
> might want to advertise getting an extra domain "for free" ("We'll even
> throw in the www!"), but those aren't technical reasons.
>
>
>
> On Mon, Jan 28, 2019 at 11:55 AM Kirk Hall via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> Looks like I posted to the list.
>
>
>
> Does anyone else remember why CAs always included both www and the “naked”
> domain in certs a decade ago?
>
>
>
> *From:* Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] *On
> Behalf Of *Kirk Hall via Servercert-wg
> *Sent:* Monday, January 28, 2019 8:44 AM
> *To:* Adriano Santoni <adriano.santoni at staff.aruba.it>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL]Re: [Servercert-wg] www and non-www (possibly an old
> issue)
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> ------------------------------
>
> Adriano – to you alone.  I have a dim recollection that at one time it was
> technically necessary to put both the www.domain and *domain* in a cert
> because of some issue with (early) Microsoft IE…  But I could be wrong
> about that.  Or maybe it was just advisable because of how the internet
> treated a “naked” domain in early years.
>
>
>
> *From:* Servercert-wg [mailto:servercert-wg-bounces at cabforum.org
> <servercert-wg-bounces at cabforum.org>] *On Behalf Of *Adriano Santoni via
> Servercert-wg
> *Sent:* Monday, January 28, 2019 7:04 AM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL]Re: [Servercert-wg] www and non-www (possibly an old
> issue)
>
>
>
> Good, and I agree that this is the only possible rationale.
>
> Thanks to you and Doug.
>
>
>
> Il 28/01/2019 15:31, Ryan Sleevi ha scritto:
>
>
>
>
>
> On Mon, Jan 28, 2019 at 3:58 AM Adriano Santoni via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> My question stems from the fact than many CAs automatically include the
> naked <domain> in the SAN upon issuing a certificate that was requested for
> "www.<domain> <http://www.%3cdomain%3e>" (and the opposite as well), on
> the grounds of the assumption that whoever controls "www" also controls the
> naked <domain>. Now, although most of the times that above assumption is
> true _de facto_, I would like to understand whether there exists an
> applicable standard (e.g. an RFC) or a sound technical reasoning, already
> put down in writing somewhere, supporting that assumption a priori and in
> general.
>
>
>
> There is none.
>
>
>
> As Doug said, a CA MUST be validating every domain they place in a
> certificate.
>
>
>
> It MAY be that the CA is validating the naked domain as an ADN, and then
> including both the naked domain and the www prefixed domain as FQDNs that
> are validated using the ADN, but in that case, both are validated. Note
> that the converse does not apply - you cannot use the www-prefixed FQDN as
> an ADN for the naked FQDN.
>
>
>
> There is no reason to assume the two domains - www and naked - are shared
> by the same entity. CAs should only include FQDNs that are requested.
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/1f36d23c/attachment.html>


More information about the Servercert-wg mailing list