[cabf_validation] Definition of Base Domain Name

Doug Beattie doug.beattie at globalsign.com
Mon Aug 17 14:16:15 MST 2015


Hi Ben,

 

At this point the applicant requests an FQDN that they want in the cert, we
compute a list of allowed Authorization Domain Names which they can use (for
some methods) to help approve the FQDN.  The Authorization Domain Name
defines how to handle wildcard and how to trim from the left, so that should
be OK also.

 

A base domain is of the format example.com, and a wildcard for a base domain
would be *.example.com, so I think that is describes accurately.


We don't contemplate wildcards for gTLDs, *.co.uk, and that's good - let's
not get into how to do that (certainly one could envision allowing that for
some brand gTLDs, but manual processes would be good for that.)

 

So it comes back to the original question, do we treat www.gTLD as a Base
Domain, or is it something different?

 

 

 

 

From: Ben Wilson [mailto:ben.wilson at digicert.com] 
Sent: Monday, August 17, 2015 10:58 AM
To: Doug Beattie <doug.beattie at globalsign.com>; validation at cabforum.org
Subject: RE: Definition of Base Domain Name

 

Doug,

You make a good point about these two definitions.  FQDN is another concept
that we also need to integrate into this analysis.  It makes me think we
need to create the concept of the "Requested FQDN", which isn't currently
used or defined.  

 

An applicant requests either a wildcard for a Base Domain Name or a
particular FQDN ("requested FQDN") for a certificate?  So I would argue that
we need to consider two scenarios - one is the wildcard for a base domain
and the other is an FQDN.  Question- is there a different process for
determining an Authorization Domain Name for each alternatives, or is it the
same?

 

Ben

 

From: validation-bounces at cabforum.org
<mailto:validation-bounces at cabforum.org>
[mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Monday, August 17, 2015 8:51 AM
To: validation at cabforum.org <mailto:validation at cabforum.org> 
Subject: [cabf_validation] Definition of Base Domain Name

 

We haven't discussed the accuracy of the current definition:

 

Base Domain Name: The portion of an applied-for FQDN that is the first
domain name node left of a registry-controlled or public suffix plus the
registry-controlled or public suffix (e.g. "example.co.uk" or
"example.com").

 

For reference, the definition of Authorization Domain Name says: The CA may
prune zero or more labels from left to right until encountering a Base
Domain Name.

 

If the value of the first domain name node left of the registry controlled
or psl is "www", should we allow the cert to be issued?  There are cases
where certs need to be issued, for example: https://www.gov.uk/ .  New tlds
might also need this, www.walmart <http://www.walmart> , www.visa
<http://www.visa> , etc.  We can validate FQDNs like this when doing domain
control technically via email approval, DNS or file as long as we use the
www variant and haven't pruned any labels (www in this case) from the left.
Authorized domain name says to leave one node to the left of the Base Domain
name, and www technically is one node.  It sounds like this is supported.

 

If we allow this, then we  should consider updating the definition of Base
Domain Name to include some additional examples like www.co.example
<http://www.co.example>  and www.example <http://www.example>  as valid Base
Domain Names.  However, calling these Base Domain Names does not seem
accurate, thus my question.

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150817/696797bd/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150817/696797bd/attachment.bin 


More information about the Validation mailing list