[cabf_validation] Definition of Base Domain Name

Ben Wilson ben.wilson at digicert.com
Mon Aug 17 07:58:28 MST 2015


Doug,

You make a good point about these two definitions.  FQDN is another concept
that we also need to integrate into this analysis.  It makes me think we
need to create the concept of the "Requested FQDN", which isn't currently
used or defined.  

 

An applicant requests either a wildcard for a Base Domain Name or a
particular FQDN ("requested FQDN") for a certificate?  So I would argue that
we need to consider two scenarios - one is the wildcard for a base domain
and the other is an FQDN.  Question- is there a different process for
determining an Authorization Domain Name for each alternatives, or is it the
same?

 

Ben

 

From: validation-bounces at cabforum.org
[mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Monday, August 17, 2015 8:51 AM
To: validation at cabforum.org
Subject: [cabf_validation] Definition of Base Domain Name

 

We haven't discussed the accuracy of the current definition:

 

Base Domain Name: The portion of an applied-for FQDN that is the first
domain name node left of a registry-controlled or public suffix plus the
registry-controlled or public suffix (e.g. "example.co.uk" or
"example.com").

 

For reference, the definition of Authorization Domain Name says: The CA may
prune zero or more labels from left to right until encountering a Base
Domain Name.

 

If the value of the first domain name node left of the registry controlled
or psl is "www", should we allow the cert to be issued?  There are cases
where certs need to be issued, for example: https://www.gov.uk/ .  New tlds
might also need this, www.walmart <http://www.walmart> , www.visa
<http://www.visa> , etc.  We can validate FQDNs like this when doing domain
control technically via email approval, DNS or file as long as we use the
www variant and haven't pruned any labels (www in this case) from the left.
Authorized domain name says to leave one node to the left of the Base Domain
name, and www technically is one node.  It sounds like this is supported.

 

If we allow this, then we  should consider updating the definition of Base
Domain Name to include some additional examples like www.co.example
<http://www.co.example>  and www.example <http://www.example>  as valid Base
Domain Names.  However, calling these Base Domain Names does not seem
accurate, thus my question.

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150817/cb87ae8e/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150817/cb87ae8e/attachment.bin 


More information about the Validation mailing list