Ultimately, it's up to the CA to decide what names it's willing to issue for. (There are other controls on those decisions, such as the CABF Baseline Requirements [1].) Typically, CAs refuse to issue for names on the PSL, or at least have big procedural fences around such issuance. But if a CA clears all the policy gates to issue for an eTLD (say one of those ccTLDs with an A record), then they can do so.
In any case, this is not something about which the spec can be normative. The only reason it's in there at all is that it's one of the common checks that CAs do, so it made sense to have as an example. --Richard [1] See the definition of Base Domain Name in https://github.com/cabforum/documents/blob/master/docs/BR.md On Mon, Oct 10, 2016 at 9:44 PM, Peter Saint-Andre <[email protected]> wrote: > Section 9.5 of draft-ietf-acme-acme-03 suggests that a CA might check > whether an identifier is an eTLD (i.e., is on the Public Suffix List). What > is the intended outcome of the checks described in this section? Is it that > the CA not issue a certificate to the applicant, or do so only after > completing additional and perhaps manual (albeit currently unspecified) > verification steps? > > Peter > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
