[cabf_validation] Publicly Trusted TLS certs with .arpa domains

Corey Bonnell Corey.Bonnell at digicert.com
Tue Aug 22 21:12:20 UTC 2023


Hello,

In reviewing the project board [1] for our group, I did some investigation
into the "On Deck" item for validation requirements for .arpa domains [2].
It turns out that according to Censys, there are currently no unexpired and
publicly trusted certificates have been issued with a .arpa domain name [3].

 

When the topic of prohibiting such issuance was raised several years ago,
there was some pushback as there were several thousand valid certificates
with .arpa domain names at the time. However, given that there is
potentially no ecosystem impact on prohibiting the issuance of such
certificates now, perhaps can we proceed with a short and simple ballot that
establishes such a prohibition.

 

If others agree, I'd be willing to draft such a ballot. Or, if someone would
like to develop the proposal, that's perfectly fine too.

 

Thanks,

Corey

 

[1] https://github.com/orgs/cabforum/projects/1/views/1

[2] https://github.com/cabforum/servercert/issues/153

[3] https://search.censys.io/search?resource=certificates
<https://search.censys.io/search?resource=certificates&q=parsed.extensions.s
ubject_alt_name.dns_names%3A%2F.%2B%5C.arpa%2F+and+parsed.validity_period.no
t_after%3A%5B2023-08-22+TO+*%5D>
&q=parsed.extensions.subject_alt_name.dns_names%3A%2F.%2B%5C.arpa%2F+and+par
sed.validity_period.not_after%3A%5B2023-08-22+TO+*%5D

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230822/4f440106/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5257 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230822/4f440106/attachment.p7s>


More information about the Validation mailing list