[cabfpub] Misissuance of certificates

Robin Alden robin at comodo.com
Wed Nov 11 10:10:36 UTC 2015


I’m afraid it goes too far to imply that there is a requirement for the subscriber to put their certificate on the public internet.

There is no such requirement.

9.6.3 does not require it.

9.6.3 requires that the server is “accessible at the subjectAltName(s) listed in the Certificate”.  If that is on the subscriber’s private network then that’s fine.

While internal names are permitted in certificates it would have been futile to require them to resolve on the public internet.

For FQDNs we only require that the applicant demonstrates that they are the registrant or have ownership or control of the “Authorization Domain” (to borrow a defined term from the upcoming Domain Validation ballot).  We do not require a demonstration of control or even a test for presence of the FQDN on the internet.

 

I don’t recall how 9.6.3.4 came to be written, but it seems to me to be a requirement on subscribers to use server certificates on servers where they are obviously usable.

If a subscriber is deploying a certificate onto a server where it is not obviously usable then either they are up to no good with it or they are too dumb or too clever to have nice things and it should be taken away from them.  I could see an argument for 9.6.3.4 being too overbearing and I would not mourn its loss, but its presence or absence does not forbid the use of certificates on private networks.

 

Regards
Robin

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating
Sent: 11 November 2015 07:00
To: Ryan Sleevi
Cc: Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

 

 

On 10 Nov 2015, at 8:27 PM, Ryan Sleevi <sleevi at google.com> wrote (for Peter Bowen):

 

the subscriber have "[a]n obligation and warranty to install the
Certificate only on servers that are accessible at the
subjectAltName(s) listed in the Certificate".  If the subscriber has

 

The key word here is ‘only’.  Honored more in the breach, alas.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151111/18a7f36e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151111/18a7f36e/attachment-0001.p7s>


More information about the Public mailing list