Re: [Acme] issuance to eTLDs

Mon, 10 Oct 2016 20:22:21 -0700 

On 10/10/16 7:54 PM, Richard Barnes wrote:

Ultimately, it's up to the CA to decide what names it's willing to issue
for.


Agreed.


(There are other controls on those decisions, such as the CABF
Baseline Requirements [1].)  Typically, CAs refuse to issue for names on
the PSL, or at least have big procedural fences around such issuance.


Sure. the CABF spec currently says:

  Determination of what is “registry‐controlled” versus the
  registerable portion of a Country Code Top‐Level Domain Namespace is
  not standardized at the time of writing and is not a property of the
  DNS itself. Current best practice is to consult a “public suffix
  list” such as http://publicsuffix.org/ (PSL), and to retrieve a fresh
  copy regularly. If using the PSL, a CA SHOULD consult the "ICANN
  DOMAINS" section only, not the "PRIVATE DOMAINS" section.


So it's not necessarily the PSL per se. But CABF is merely one example 
of a potential policy, I suppose.



But if a CA clears all the policy gates to issue for an eTLD (say one of
those ccTLDs with an A record), then they can do so.

In any case, this is not something about which the spec can be
normative.  The only reason it's in there at all is that it's one of the
common checks that CAs do, so it made sense to have as an example.


Fair enough. Thanks for the reply.

Peter



--Richard

[1] See the definition of Base Domain Name in
https://github.com/cabforum/documents/blob/master/docs/BR.md

On Mon, Oct 10, 2016 at 9:44 PM, Peter Saint-Andre <[email protected]
<mailto:[email protected]>> wrote:

    Section 9.5 of draft-ietf-acme-acme-03 suggests that a CA might
    check whether an identifier is an eTLD (i.e., is on the Public
    Suffix List). What is the intended outcome of the checks described
    in this section? Is it that the CA not issue a certificate to the
    applicant, or do so only after completing additional and perhaps
    manual (albeit currently unspecified) verification steps?

    Peter

    _______________________________________________
    Acme mailing list
    [email protected] <mailto:[email protected]>
    https://www.ietf.org/mailman/listinfo/acme
    <https://www.ietf.org/mailman/listinfo/acme>




_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme






















					Reply via email to