[cabfpub] Problems with Ballot 202

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Jul 17 15:28:17 MST 2017


Here are the difficulties I'm having understanding the new (very complex) Ballot 202 definitions shown below.  I can't imagine explaining this to our engineering and vetting teams, and I think people will make mistakes.  Assuming these definitions parse out, at a bare minimum we should give easy examples for each definition.  These are arranged in a logical order, not alphabetically.

Also - we won't really know if these definitions are good and useful unless we compare them to the new text of BR 3.2.2.4, which defines how we are to do validation.  Last week when we pulled back Ballot 190 it was to allow Peter time to tune up the definition of Authorized Domain Name in Ballot 190 the context of BR 3.2.2.4 (so we could remove the Notes that had been added to Ballot 190), but to my surprise, the new definitions have shown up in Ballot 202 instead - I think that's a mistake.

As recently as July 4, Ben said this Ballot 202 would cover the following four subjects: (1) adds dnQualifier as an allowed attribute for all certificate types (including DV), (2) adds ASN.1 info on the EV jurisdiction attribute types, (3) adds language to the EV guidelines to clarify that CAs may limit their aggregate liabilities, (4) allows underscores in domain names and clarifies what can go in common names.  Why did the authors decide to include changes to crucial definitions applicable to domain validation at the same time, but not allow discussion in a pre-ballot?
At this point, Entrust is inclined to vote no - not because we necessarily oppose the ballot's aims, but because there are some questions and no time to resolve them before voting starts.

Here are our concerns about the new definitions.  Again, it would be nice to have more time to discuss, and not start voting on Wednesday.

Domain Label: An individual component of a Domain Name.

[What does this mean - "component"?  Is a period a Domain Label?  A couple of letters?  This seems circular with the Domain Name definition below.  Did you mean "node" and not "component"?  At a minimum, give examples - "In mail.example.com, the components are "mail", "example", and "com".  The period "." is not a component, nor are characters that are less than a full node such as "exa".]

Domain Name:  A set of one or more Domain Labels, each separated by a single full stop character (".").  Fully-Qualified Domain Names and Wildcard Domain Names are Domain Names.

[Again, somewhat circular - Domain Label says it's a component of a Domain Name, and Domain Name says it's made up of Domain Labels... never fully defined.

Also, saying that FQDNs and Wildcard DNs are DNs might work, but need to study the rest of the text.

Also, this definition does not require a domain name to end in a gTLD or ccTLD, so server1.mail qualifies as a Domain Name?  Might cause trouble with other definitions.]

Domain Namespace:  The set of all possible Domain Names that are subordinate to a single node in the Domain Name System.

[Unclear - "subordinate to a single node in the Domain Name System".  So for server1.mail.example.com, is "com" part of the Domain Namespace, or only server1.mail.example?  Also, you say in the definition of Domain Name that an FQDN is a Domain Name, so under the Definition of Domain Namespace, is the entire FQDN (including .com) meant to be subordinate to a single node in the Domain Name System?  Would that require server1.mail.example.com.com, with the second ".com" being the single node?

In the example server1.mail.example.com, "server1" and "mail" are subordinate to "example", so does that mean "server1.mail" is a Domain Namespace that is subordinate to the node "example"?

Also - we never use Domain Namespace in the rest of the definitions.  Where is it used, and does this definition make sense there?]

Fully-Qualified Domain Name:  A Domain Name that includes the Domain Labels of all superior nodes in the Internet Domain Name System.

[Again unclear.  The reference to "all superior nodes" begs the question - superior to what?  A gTLD or ccTLD?  In the example server1.mail.example.com, is "server1.mail.example" itself an FQDN, because it includes all "superior nodes" to .com?  Or did you mean to include .com as well to make it an FQDN?]

Wildcard Domain Name: A Domain Name consisting of a single asterisk character ("*") followed by a single full stop character (".") followed by a Fully-Qualified Domain Name.

[This is confusing because it starts with Domain Name, then talks about an FQDN - the "*" itself doesn't turn a Domain Name into an FQDN so why are you using both terms? ]

Base Domain Name: The portion of an applied-for Domain Name that is the first domain name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. "example.co.uk" or "example.com").
For Domain Names where the right-most domain name node is a gTLD having ICANN Specification 13 in its registry agreement, the gTLD itself may be used as the Base Domain Name.

[Ballot 190 stripped out "requested" in front of FQDN wherever it existed, as it seems to get into a CA's business processes - what the customer requests, as opposed to a domain the CA decides to validate - and adds nothing but confusion.  I recall discussion that used the word "requested" to limit what a CA could do - e.g., using "requested" might limit CA so they could only verify an FQDN the customer "requested" (server1.mail.example.com) and not the FQDN the CA wanted to verify to fill the customer's order (example.com).  Now we see the words "applied for" - take it out, it's not relevant and could restrict what CAs can do.]

Authorization Domain Name: The Domain Name used to obtain authorization for certificate issuance for a given Domain Name.
The CA may use the FQDN returned from a DNS CNAME lookup as the Domain Name for the purposes of domain validation.
If the Domain Name is a Wildcard Domain Name, then the CA MUST remove "*." from the left most portion of requested Domain Name.
The CA may prune zero or more labels from left to right until encountering a Base Domain Name and may use any one of the intermediate values for the purpose of domain validation.

[First, the word "authorization" does not seem correct - validation (used in BR 3.2.2.4) might make more sense.  A simple WhoIs lookup by itself doesn't seem like authorization, only validation of a request.

The first sentence is somewhat circular by using Domain Name twice in one sentence.  The Domain Name used... for a given Domain Name.  ??

Assuming that server1.mail is a Domain Name, can it be an Authorization Domain Name for something?

The second sentence again goes from FQDN to Domain Name - not clear why.

The third sentence again talks about the "requested Domain Name" - requested by the customer?  Please remove "requested".  Also, why are you saying the * must be removed - do you mean to add something at the end of the sentence like "before the validation is obtained", or "before a certificate is issued", or..?  I don't understand the purpose of this sentence in this definition.

The final sentence is unclear as to what domain name is being pruned - the Authorization Domain Name?  (The sentence is in that definition.)  Or is the requested domain name being pruned (probably).  This might be one place where it makes sense to use "requested" simply to show a CA can choose to prune and then validate what's left.  But why is this rule in the definition of Authorization Domain Name?  Shouldn't it be in BR 3.2.2.4 itself?]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170717/533a8080/attachment.html>


More information about the Public mailing list