[Servercert-wg] Question on BR 3.2.2.6
Ryan Sleevi
sleevi at google.com
Fri Feb 28 12:44:43 MST 2020
On Fri, Feb 28, 2020 at 2:21 PM Doug Beattie <doug.beattie at globalsign.com>
wrote:
> Ryan,
>
>
>
> Your statement below: “ .. demonstration of the total control of the
> namespace would definitely tie to a validation based on DNS, as opposed to
> a validation limited in scope…” doesn’t align with what the BRs, section
> 7.5.1 says: “(a) For each dNSName in permittedSubtrees, the CA MUST confirm
> that the Applicant has registered the dNSName or has been authorized by the
> domain registrant to act on the registrant's behalf in line with the
> verification practices of section 3.2.2.4.”.
>
>
>
> There seems to be a disconnect, because the way I read this is that the
> BRs permit any method to be used, not just DNS. Are you proposing a change
> to the BRs? If there is the possibility of multiple interpretations, then
> we’ll want to address this section as part of the Default Allow/Default
> Deny discussion in the Validation subcommittee.
>
Doug: Apologies for the confusion. I was not trying to answer "What is the
appropriate validation for nameConstraints", only highlighting wildcards
don't appear. I was, however, trying to answer the question Pedro posed,
which was regarding wildcard certificates in general, and specifically:
> A CA is not prohibited from issuing a Wildcard Certificate to the
Registrant of an entire gTLD, provided that control of the entire namespace
is demonstrated in an appropriate way
and
> If a wildcard would fall within the label immediately to the left of a
registry-controlled1 or public suffix, CAs MUST refuse issuance unless the
applicant proves its rightful control of the entire Domain Namespace.
The question that Pedro raised, and I was trying to answer, is what
constitutes "control of the entire namespace" ... "in an appropriate way" /
what the "rightful control of the **entire** Domain Namespace" would
involve.
For example, there's no defensible reading that 3.2.2.4.8 would cover
control over an entire namespace. This is not a change in the BRs, but the
existing language.
As Dimitris noted, perhaps it's confusing for folks to start on a
discussion of name constraints without changing the thread title. I was
trying to keep this focused on 3.2.2.6, not 7.1.5 (I'm guessing that's what
you meant by 7.5.1).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200228/db19661e/attachment.html>
More information about the Servercert-wg
mailing list