On 10/11/15 23:44, Ryan Sleevi wrote: > If a CA has issued such a cert to an applicant that they didn't vet as > being the authorized representative of the relevant national > administrator, then that's arguably no different than issuing a cert to > someone who isn't the authorized domain holder - that is, it's > misissuance.
Well, if the cert has a SAN of "*.co.uk", yes. If the cert has a constraint to "*.co.uk", that's different. But the question is: do we count that as "technically constrained"? I would say No; the point of "technically constrained" is that it can only issue certs for domains which the owner of the intermediate owns or controls. I don't really think it makes sense to say that the CCTLD administrator for the UK "owns or controls" wibble.co.uk in the sense that we mean it here. >> It seems like if a name is a public suffix, then it doesn't >> really make sense to allow non-disclosed subordinates under the "you can >> only hurt yourself" rule. > > I'd disagree as to whether that's even the purpose of the Public Suffix > List, and while Gerv and I often haggle over the definitions of public > suffices, I suspect we'd both agree to that :) I certainly agree that presence on the list does not automatically imply what Richard said. "Presence on the ICANN section of the list" gets closer, but this doesn't solve the brand-TLD problem. Ideally, we would know which TLDs were public-registration and which were not; ICANN has made noises about providing this information. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
