[cabf_validation] Definition of Base Domain Name

Bruce Morton bruce.morton at entrust.com
Tue Aug 18 05:56:45 MST 2015


I’m not understanding the issue. Is www reserved?

www.com<http://www.com> has been registered, so I would consider this a base domain.

Would we not treat www.com<http://www.com> the same way as www.visa<http://www.visa>? They both look like Base Domains to me.

Bruce.

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Monday, August 17, 2015 8:56 PM
To: Doug Beattie <doug.beattie at globalsign.com>; Ben Wilson <ben.wilson at digicert.com>; validation at cabforum.org
Subject: Re: [cabf_validation] Definition of Base Domain Name

Doug – is the case of www the only situation we are considering?

If yes, would we solve the problem by adding the following sentence at the end of the definition of Base Domain?  “For gTLDs, the domain www.[gTLD<http://www.[gTLD>] will be considered to be a Base Domain.”

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Monday, August 17, 2015 2:16 PM
To: Ben Wilson; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: Re: [cabf_validation] Definition of Base Domain Name

Hi Ben,

At this point the applicant requests an FQDN that they want in the cert, we compute a list of allowed Authorization Domain Names which they can use (for some methods) to help approve the FQDN.  The Authorization Domain Name defines how to handle wildcard and how to trim from the left, so that should be OK also.

A base domain is of the format example.com, and a wildcard for a base domain would be *.example.com, so I think that is describes accurately.

We don’t contemplate wildcards for gTLDs, *.co.uk, and that’s good – let’s not get into how to do that (certainly one could envision allowing that for some brand gTLDs, but manual processes would be good for that.)

So it comes back to the original question, do we treat www.gTLD<http://www.gTLD> as a Base Domain, or is it something different?




From: Ben Wilson [mailto:ben.wilson at digicert.com]
Sent: Monday, August 17, 2015 10:58 AM
To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: RE: Definition of Base Domain Name

Doug,
You make a good point about these two definitions.  FQDN is another concept that we also need to integrate into this analysis.  It makes me think we need to create the concept of the “Requested FQDN”, which isn’t currently used or defined.

An applicant requests either a wildcard for a Base Domain Name or a particular FQDN (“requested FQDN”) for a certificate?  So I would argue that we need to consider two scenarios – one is the wildcard for a base domain and the other is an FQDN.  Question- is there a different process for determining an Authorization Domain Name for each alternatives, or is it the same?

Ben

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Monday, August 17, 2015 8:51 AM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Subject: [cabf_validation] Definition of Base Domain Name

We haven’t discussed the accuracy of the current definition:

Base Domain Name: The portion of an applied-for FQDN that is the first domain name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. “example.co.uk” or “example.com”).

For reference, the definition of Authorization Domain Name says: The CA may prune zero or more labels from left to right until encountering a Base Domain Name.

If the value of the first domain name node left of the registry controlled or psl is ”www”, should we allow the cert to be issued?  There are cases where certs need to be issued, for example: https://www.gov.uk/ .  New tlds might also need this, www.walmart<http://www.walmart>, www.visa<http://www.visa>, etc.  We can validate FQDNs like this when doing domain control technically via email approval, DNS or file as long as we use the www variant and haven’t pruned any labels (www in this case) from the left.  Authorized domain name says to leave one node to the left of the Base Domain name, and www technically is one node.  It sounds like this is supported.

If we allow this, then we  should consider updating the definition of Base Domain Name to include some additional examples like www.co.example<http://www.co.example> and www.example<http://www.example> as valid Base Domain Names.  However, calling these Base Domain Names does not seem accurate, thus my question.







TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150818/fa085b90/attachment.html 


More information about the Validation mailing list