[Servercert-wg] www and non-www (possibly an old issue)
Ryan Sleevi
sleevi at google.com
Mon Jan 28 07:31:46 MST 2019
On Mon, Jan 28, 2019 at 3:58 AM Adriano Santoni via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> My question stems from the fact than many CAs automatically include the
> naked <domain> in the SAN upon issuing a certificate that was requested for
> "www.<domain>" (and the opposite as well), on the grounds of the assumption
> that whoever controls "www" also controls the naked <domain>. Now, although
> most of the times that above assumption is true _de facto_, I would like to
> understand whether there exists an applicable standard (e.g. an RFC) or a
> sound technical reasoning, already put down in writing somewhere,
> supporting that assumption a priori and in general.
>
There is none.
As Doug said, a CA MUST be validating every domain they place in a
certificate.
It MAY be that the CA is validating the naked domain as an ADN, and then
including both the naked domain and the www prefixed domain as FQDNs that
are validated using the ADN, but in that case, both are validated. Note
that the converse does not apply - you cannot use the www-prefixed FQDN as
an ADN for the naked FQDN.
There is no reason to assume the two domains - www and naked - are shared
by the same entity. CAs should only include FQDNs that are requested.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190128/20820692/attachment.html>
More information about the Servercert-wg
mailing list