|
The issue I raised is not whether ccTLD are
allowed in the BRs (they apparently are, to date) or what kind of
entity could be allowed a ccTLD in their SubCA certificate's
permittedSubtrees. My point is whether a SubCA having a ccTLD in its permittedSubtrees can reasonably be regarded as "technically constrained" and therefore be allowed not to be disclosed and not to be formally audited..... Adriano Il 10/11/2015 21:15, Richard Barnes ha
scritto:
I understand the impulse here, but technically, ccTLDs are under the control of specific administrators per country:""" The country code domains (for example, FR, NL, KR, US) are each organized by an administrator for that country. These administrators may further delegate the management of portions of the naming tree. """ https://tools.ietf.org/html/rfc1591 So I think that permitting a ccTLD would be allowed by the letter of the BRs, if the applicant is actually a representative of the relevant national administrator. That said, I would be OK with updating the policy to be stricter. If we want to rule out ccTLDs, would we also want rule out things on the PSL in general? It seems like if a name is a public suffix, then it doesn't really make sense to allow non-disclosed subordinates under the "you can only hurt yourself" rule. --Richard On Tue, Nov 10, 2015 at 3:08 PM, Kathleen Wilson <[email protected]> wrote:All, I have been asked to consider updating Mozilla's CA Certificate Policy to clarify that a ccTLD is not acceptable in permittedSubtrees for technically constraining subordinate CA certs. In section 7.1.5 of version 1.3 of the Baseline Requirement it says: "(a) For each dNSName in permittedSubtrees, the CA MUST confirm that the Applicant has registered the dNSName or has been authorized by the domain registrant to act on the registrant's behalf in line with the verification practices of section 3.2.2.4." And in https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ section 9 says: "For each dNSName in permittedSubtrees, the issuing CA MUST confirm that the subordinate CA has registered the dNSName or has been authorized by the domain registrant to act on the registrant’s behalf. Each dNSName in permittedSubtrees must be a registered domain (with zero or more subdomains) according to the Public Suffix List algorithm." I don't see how a CA could confirm that the subordinate owns/controls all of the domains for a ccTLD (e.g. *.uk). So, it seems to me that any subordinate CA that has a ccTLD in permittedSubtrees does not meet the BR or Mozilla requirements regarding being technically constrained. So, should we specifically state (in the requirements regarding a subCA being technically constrained) that permittedSubtrees cannot contain a ccTLD? Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy --
Adriano Santoni |
smime.p7s
Description: Firma crittografica S/MIME
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
