[Servercert-wg] www and non-www (possibly an old issue)

Mon Jan 28 12:19:20 MST 2019

Google for “browser adds www to URL”, there are lots of hits going back years and years, which matches my memory.

-Tim

From: Ryan Sleevi <sleevi at google.com> 
Sent: Monday, January 28, 2019 2:16 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [Servercert-wg] www and non-www (possibly an old issue)

Do you have any examples you can point to? Rewriting URLs like that automatically sounds rather surprising, even configured as such. While some user agents have hot keys that, when pressed, will add things like "www" and "com", modifying URLs the user has typed in is fairly rare.

On Mon, Jan 28, 2019 at 2:12 PM Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote:

Many browsers automatically add www to URLs; IIRC the behavior can vary based on configuration settings.  That’s why it’s best to support both via a redirect; you can’t predict with 100% accuracy which of the two a random user will show up at.

-Tim

From: Servercert-wg <servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Ryan Sleevi via Servercert-wg
Sent: Monday, January 28, 2019 12:01 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> >; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: Re: [Servercert-wg] www and non-www (possibly an old issue)

I'm unaware of any technical necessity in any product released in the past 20 years; that is, any certificate that would fail to validate if it only had one.

However, there's reasons why CAs or users might, including to allow both the naked domain and www domain work, particularly for sites that want to support redirects (e.g. redirecting http[s]://example.com <http://example.com>  to https://www.example.com). And there's plenty of market reasons why CAs might want to advertise getting an extra domain "for free" ("We'll even throw in the www!"), but those aren't technical reasons.

On Mon, Jan 28, 2019 at 11:55 AM Kirk Hall via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

Looks like I posted to the list.

Does anyone else remember why CAs always included both www and the “naked” domain in certs a decade ago?

From: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org> ] On Behalf Of Kirk Hall via Servercert-wg
Sent: Monday, January 28, 2019 8:44 AM
To: Adriano Santoni <adriano.santoni at staff.aruba.it <mailto:adriano.santoni at staff.aruba.it> >; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: [EXTERNAL]Re: [Servercert-wg] www and non-www (possibly an old issue)

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

  _____  

Adriano – to you alone.  I have a dim recollection that at one time it was technically necessary to put both the www.domain <http://www.domain>  and domain in a cert because of some issue with (early) Microsoft IE…  But I could be wrong about that.  Or maybe it was just advisable because of how the internet treated a “naked” domain in early years.

From: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] On Behalf Of Adriano Santoni via Servercert-wg
Sent: Monday, January 28, 2019 7:04 AM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: [EXTERNAL]Re: [Servercert-wg] www and non-www (possibly an old issue)

Good, and I agree that this is the only possible rationale. 

Thanks to you and Doug.

Il 28/01/2019 15:31, Ryan Sleevi ha scritto:

On Mon, Jan 28, 2019 at 3:58 AM Adriano Santoni via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

My question stems from the fact than many CAs automatically include the naked <domain> in the SAN upon issuing a certificate that was requested for "www. <http://www.%3cdomain%3e> <domain>" (and the opposite as well), on the grounds of the assumption that whoever controls "www" also controls the naked <domain>. Now, although most of the times that above assumption is true _de facto_, I would like to understand whether there exists an applicable standard (e.g. an RFC) or a sound technical reasoning, already put down in writing somewhere, supporting that assumption a priori and in general. 

There is none.

As Doug said, a CA MUST be validating every domain they place in a certificate.

It MAY be that the CA is validating the naked domain as an ADN, and then including both the naked domain and the www prefixed domain as FQDNs that are validated using the ADN, but in that case, both are validated. Note that the converse does not apply - you cannot use the www-prefixed FQDN as an ADN for the naked FQDN.

There is no reason to assume the two domains - www and naked - are shared by the same entity. CAs should only include FQDNs that are requested. 

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/b5d0a9c5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/b5d0a9c5/attachment-0001.p7s>