[cabfpub] [SPAM]Re: Wildcard language in BRs

Rich Smith richard.smith at comodo.com
Fri Apr 22 12:57:17 UTC 2016


Peter,
To be thorough, we also need to address section 7.1.4.2.1 which says:
Wildcard FQDNs are permitted.

I suggest:
Modify your proposal of the definition replacing Wildcard Domain Name 
with Wildcard FQDN.

Given the propensity to stretch the wording I also think your definition 
isn't quite strong enough, so I suggest making it extremely explicit, 
modifying to say:
Wildcard FQDN: A Domain Name formed by prepending '*.' to a FQDN 
containing NO OTHER wildcard characters within it.  The wildcard 
character '*' MUST ONLY be used in the left most character position in 
the FQDN, AND MUST be immediately followed by the '.' character, thus 
the wildcard character forms the entirety of the left most label of the 
FQDN.

Overkill, but unfortunately it's been clearly demonstrated that overkill 
is necessary.

I also think we should make the wording in 7.1.4.2.1 a bit stronger and 
more clear so no one can lawyer their way out of it in the future.  Suggest:

Replace:
Wildcard FQDNs are permitted.
With:
If the wildcard character (*) is used in a Subject Alternative Name it 
MUST conform with the definition of a Wildcard FQDN in these Requirements.

With the above changes, and assuming everyone agrees that at this point 
no one could possibly claim, legitimately or otherwise, this allows 
anything other than *.foobar.com or *.foo.bar.com, you have my endorsement.

Regards,
Rich

P.S.
Hmmm...since we're apparently debating what 'is' is, it may also be 
necessary to define Wildcard Character: '*' contained in a FQDN

On 4/21/2016 5:17 PM, Peter Bowen wrote:
> On Apr 21, 2016, at 1:31 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
>> The BRs define Wildcard Certificate:
>> "Wildcard Certificate: A Certificate containing an asterisk (*) in the left
>> ‐most position of any of the Subject Fully‐Qualified Domain Names
>> contained in the Certificate."
>>
>> Is "left-most position" technically defined? Does that mean the left-most
>> character or left-most label? A name like "ww*.example.com" has an asterisk
>> in the left-most label. So if position=label, that name is permitted.
>>
>> This is why we agree with Jeremy that the current language is ambiguous and
>> doesn't clearly exclude wildcards like "ww*.example.com".
> Rick,
>
> In https://cabforum.org/pipermail/public/2016-April/007210.html I proposed new language to replace the ambiguous language.
>
> It would define a new term “Wildcard Domain Name” with the definition of "A Domain Name formed by prepending '*.' to a FQDN” and then use this in the Wildcard Certificate definition: “A Certificate containing a Wildcard Domain Name in any of the Subject Alternative Name dNSNames contained in the Certificate”.
>
> Then in 3.2.2.6, make it read:
>
> Before issuing a certificate with a Wildcard Domain Name in a CN or subjectAltName of type DNS‐ID, the CA MUST establish and follow a documented procedure† that determines if the FQDN portion of the Wildcard Domain Name is a “registry‐controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation).
> If so, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example” if the .example gTLD includes Specification 13 in its registry agreement).
>
> Do you agree that this would make the language unambiguous?
>
> Thanks,
> Peter
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4035 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160422/7ae6b783/attachment-0001.p7s>


More information about the Public mailing list