[cabf_validation] Definition of Base Domain Name
kirk_hall at trendmicro.com
kirk_hall at trendmicro.com
Mon Aug 17 17:55:55 MST 2015
Doug - is the case of www the only situation we are considering?
If yes, would we solve the problem by adding the following sentence at the end of the definition of Base Domain? "For gTLDs, the domain www.[gTLD<http://www.[gTLD>] will be considered to be a Base Domain."
From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Monday, August 17, 2015 2:16 PM
To: Ben Wilson; validation at cabforum.org
Subject: Re: [cabf_validation] Definition of Base Domain Name
Hi Ben,
At this point the applicant requests an FQDN that they want in the cert, we compute a list of allowed Authorization Domain Names which they can use (for some methods) to help approve the FQDN. The Authorization Domain Name defines how to handle wildcard and how to trim from the left, so that should be OK also.
A base domain is of the format example.com, and a wildcard for a base domain would be *.example.com, so I think that is describes accurately.
We don't contemplate wildcards for gTLDs, *.co.uk, and that's good - let's not get into how to do that (certainly one could envision allowing that for some brand gTLDs, but manual processes would be good for that.)
So it comes back to the original question, do we treat www.gTLD<http://www.gTLD> as a Base Domain, or is it something different?
From: Ben Wilson [mailto:ben.wilson at digicert.com]
Sent: Monday, August 17, 2015 10:58 AM
To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: RE: Definition of Base Domain Name
Doug,
You make a good point about these two definitions. FQDN is another concept that we also need to integrate into this analysis. It makes me think we need to create the concept of the "Requested FQDN", which isn't currently used or defined.
An applicant requests either a wildcard for a Base Domain Name or a particular FQDN ("requested FQDN") for a certificate? So I would argue that we need to consider two scenarios - one is the wildcard for a base domain and the other is an FQDN. Question- is there a different process for determining an Authorization Domain Name for each alternatives, or is it the same?
Ben
From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Monday, August 17, 2015 8:51 AM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Subject: [cabf_validation] Definition of Base Domain Name
We haven't discussed the accuracy of the current definition:
Base Domain Name: The portion of an applied-for FQDN that is the first domain name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. "example.co.uk" or "example.com").
For reference, the definition of Authorization Domain Name says: The CA may prune zero or more labels from left to right until encountering a Base Domain Name.
If the value of the first domain name node left of the registry controlled or psl is "www", should we allow the cert to be issued? There are cases where certs need to be issued, for example: https://www.gov.uk/ . New tlds might also need this, www.walmart<http://www.walmart>, www.visa<http://www.visa>, etc. We can validate FQDNs like this when doing domain control technically via email approval, DNS or file as long as we use the www variant and haven't pruned any labels (www in this case) from the left. Authorized domain name says to leave one node to the left of the Base Domain name, and www technically is one node. It sounds like this is supported.
If we allow this, then we should consider updating the definition of Base Domain Name to include some additional examples like www.co.example<http://www.co.example> and www.example<http://www.example> as valid Base Domain Names. However, calling these Base Domain Names does not seem accurate, thus my question.
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150818/4005b34b/attachment-0001.html
More information about the Validation
mailing list