[cabf_validation] Definition of Base Domain Name

[Doug Beattie]

We haven't discussed the accuracy of the current definition:

Base Domain Name: The portion of an applied-for FQDN that is the first domain name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. "example.co.uk" or "example.com").

For reference, the definition of Authorization Domain Name says: The CA may prune zero or more labels from left to right until encountering a Base Domain Name.

If the value of the first domain name node left of the registry controlled or psl is "www", should we allow the cert to be issued?  There are cases where certs need to be issued, for example: https://www.gov.uk/ .  New tlds might also need this, www.walmart<http://www.walmart>, www.visa<http://www.visa>, etc.  We can validate FQDNs like this when doing domain control technically via email approval, DNS or file as long as we use the www variant and haven't pruned any labels (www in this case) from the left.  Authorized domain name says to leave one node to the left of the Base Domain name, and www technically is one node.  It sounds like this is supported.

If we allow this, then we  should consider updating the definition of Base Domain Name to include some additional examples like www.co.example<http://www.co.example> and www.example<http://www.example> as valid Base Domain Names.  However, calling these Base Domain Names does not seem accurate, thus my question.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150817/dfb30d8c/attachment.html