[cabfpub] Ballot 169 - Revised Validation Requirements

Doug Beattie doug.beattie at globalsign.com
Thu Jul 28 16:14:12 UTC 2016


Hi Ben,

Regarding the Test Certificate question:  

This is the current definition:
Test Certificate: A Certificate with a maximum validity period of 30 days and which i) includes a critical extension with the specified Test Certificate CABF OID, or ii) which chains to a root certificate not subject to these Requirements.

I suggested this to Ryan in response to his comment on 7/22:
Test Certificate: A Certificate with a maximum validity period of 30 days and which i) includes a critical extension with the specified Test Certificate CABF OID, or ii) which is issued under a CA where there are no certificate paths/chains to a root certificate subject to these Requirements.

I think this is a bit closer to what Ryan wanted to see, let's go with this unless there are any other comments.

I'm not in a position to comment on the gTLD question.

Doug


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, July 28, 2016 11:52 AM
To: CABFPub
Subject: Re: [cabfpub] Ballot 169 - Revised Validation Requirements

Would the sponsor (Jeremy) and endorsers (Tim and  Doug) accept Peter's proposal as a friendly amendment before the  review period ends tomorrow?
Also, would they accept my proposed amendment to the definition of "Test Certificate"?  If so, then we can amend the ballot for these two issues before voting starts tomorrow afternoon.
Cheers,
Ben

-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Thursday, July 28, 2016 9:33 AM
To: Ryan Sleevi <sleevi at google.com>; Ben Wilson <ben.wilson at digicert.com>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 169 - Revised Validation Requirements


> On Jul 22, 2016, at 11:25 AM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> Regrettably, despite multiple readings throughout this, I appear to have
missed some things in the definitions.
> 
> I'm mostly hoping for clarification, as it might simply be wording issues
that can be corrected without changing the substance or intent of the
ballot.
> 
> On Fri, Jul 22, 2016 at 11:06 AM, Ben Wilson <ben.wilson at digicert.com>
wrote:
>  
> Base Domain Name: The portion of an applied-for FQDN that is the first
domain name node left of a registry-controlled or public suffix plus the
registry-controlled or public suffix (e.g. "example.co.uk" or
"example.com"). For gTLDs, the domain www.[gTLD] will be considered to be a
Base Domain.
> 
> 
> Why the "For gTLDs" clause? Is "www.[gTLD]" reserved by ICANN? Is this
meant as a clause for Spec-13 situations? For example, as I read it, if
Google wanted to get a certificate for "foo.google", the combined definition
of "Authorization Domain Name" and "Base Domain Name" would potentially
prohibit this - that is, as worded, it suggests "For gTLDs" is mutually
exclusive with the preceding sentence.
> 
> I'm unclear if this was meant to be "will also be" - but if so, it's
unclear why the gTLD case isn't handled previously. Is it meant to permit
the WHOIS lookups for such spec-13 gTLDs? If so, it would only be necessary
if you're applying for a bare certificate (either "*.[gTLD]" or [gTLD], and
the latter is either prohibited or strongly-discouraged per ICANN SSAC on
single-label hosts)
> 
> QUESTION: Can someone explain the context/intent of this clause?
> SUGGESTION: Can this clause be removed? Would the addition of the word
"also" change the semantic meaning or interpretation?

You are correct that the second sentence is confusing and unnecessary.  I
would propose that the definition be changed to read:

"Base Domain Name: The portion of an applied-for FQDN that is the first
domain name node left of a registry-controlled or public suffix plus the
registry-controlled or public suffix (e.g. "example.co.uk" or
"example.com"). For FQDNs where the right most domain name node is a gTLD
having ICANN specification 13 in its registry agreement, gTLD itself may be
used as the base domain name."

Thanks,
Peter



More information about the Public mailing list