[cabf_validation] Publicly Trusted TLS certs with .arpa domains

Tim Hollebeek tim.hollebeek at digicert.com
Wed Aug 23 16:10:50 UTC 2023


I have wanted to fix this ever since we discovered it at a previous employer.

-Tim

From: Validation <validation-bounces at cabforum.org> On Behalf Of Corey Bonnell via Validation
Sent: Tuesday, August 22, 2023 5:13 PM
To: CABforum3 <validation at cabforum.org>
Subject: [cabf_validation] Publicly Trusted TLS certs with .arpa domains

Hello,
In reviewing the project board [1] for our group, I did some investigation into the "On Deck" item for validation requirements for .arpa domains [2]. It turns out that according to Censys, there are currently no unexpired and publicly trusted certificates have been issued with a .arpa domain name [3].

When the topic of prohibiting such issuance was raised several years ago, there was some pushback as there were several thousand valid certificates with .arpa domain names at the time. However, given that there is potentially no ecosystem impact on prohibiting the issuance of such certificates now, perhaps can we proceed with a short and simple ballot that establishes such a prohibition.

If others agree, I'd be willing to draft such a ballot. Or, if someone would like to develop the proposal, that's perfectly fine too.

Thanks,
Corey

[1] https://github.com/orgs/cabforum/projects/1/views/1<https://url.avanan.click/v2/___https:/github.com/orgs/cabforum/projects/1/views/1___.YXAzOmRpZ2ljZXJ0OmE6bzo4YWU2M2M4MWRkNTBjZWRhZTI0YjNlZTgwMzI4NDQ5Yjo2OmRhNmE6ZmNlZDM0NTg5OGMxZWUwZDRkZjgyZDg2NWIwNmIyNDRhMWI5N2ExZDgxOGNlNGNkMmU4YjM5Nzk1ZjA0MDYwNjpoOkY>
[2] https://github.com/cabforum/servercert/issues/153<https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/issues/153___.YXAzOmRpZ2ljZXJ0OmE6bzo4YWU2M2M4MWRkNTBjZWRhZTI0YjNlZTgwMzI4NDQ5Yjo2OjIwYWU6YjUyYzUyMmFjNjdjNjFkYzUzMjMxMDNmZTI5YmJjMDljN2RmMzEzMjNhMjlhNjNmMTNmYmRlNDM3ZmVlYzJhNTpoOkY>
[3] https://search.censys.io/search?resource=certificates&q=parsed.extensions.subject_alt_name.dns_names%3A%2F.%2B%5C.arpa%2F+and+parsed.validity_period.not_after%3A%5B2023-08-22+TO+*%5D<https://url.avanan.click/v2/___https:/search.censys.io/search?resource=certificates&q=parsed.extensions.subject_alt_name.dns_names%3A%2F.%2B%5C.arpa%2F+and+parsed.validity_period.not_after%3A%5B2023-08-22+TO+*%5D___.YXAzOmRpZ2ljZXJ0OmE6bzo4YWU2M2M4MWRkNTBjZWRhZTI0YjNlZTgwMzI4NDQ5Yjo2OmJkMmI6YTJkNjBiZDBkNzNiZTNmYWYzYTBlYTkxMjM5NzAxZTZmNmZiYzA0MDllZmYxZmRlN2FhZTdiYTI4MDc1ZDY5YTpoOkY>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230823/0064bd7c/attachment.html>


More information about the Validation mailing list