[cabfpub] [Ext] Updated Ballot 190 v3 dated June 30, 2017

Ryan Sleevi sleevi at google.com
Sat Jul 1 11:05:59 MST 2017


Under "has more labels", "example.com" and "example.com.example.net" -
example.com.example.net has more labels than the validated FQDN.

This is where the term "Authorization Domain Name" is much more
clearly worded, by describing that the ADN for an FQDN may be
constructed by

"The CA may prune zero or more labels from left to right until
encountering a Base Domain Name and may use any one of the
intermediate values for the purpose of domain validation."

On Fri, Jun 30, 2017 at 6:43 PM, Kirk Hall via Public
<public at cabforum.org> wrote:
> Good point (I would never have thought of that example).  Done in upcoming v4.
> Thanks.
> -----Original Message-----
> From: Paul Hoffman [mailto:paul.hoffman at icann.org]
> Sent: Friday, June 30, 2017 3:17 PM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: [EXTERNAL]Re: [Ext] [cabfpub] Updated Ballot 190 v3 dated June 30, 2017
> <raises his hand meekly>
>> On Jun 30, 2017, at 3:04 PM, Kirk Hall via Public <public at cabforum.org> wrote:
>> “Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end in the validated FQDN.  This method is suitable for validating Wildcard Domain Names.”
>> We think that is short and simple, and can’t be misconstrued.
> It can be misconstrued, and similar wording has been misconstrued in DNS software in the past.
> For a validated FQDN of "example.com", "accounting-example.com" is an FQDN that ends in the validated FQDN.
> If you mean "has more labels than the validated FQDN" (as I suspect that you do), it is probably worthwhile to say that directly.
> --Paul Hoffman
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list