I understand the impulse here, but technically, ccTLDs are under the control of specific administrators per country:
""" The country code domains (for example, FR, NL, KR, US) are each organized by an administrator for that country. These administrators may further delegate the management of portions of the naming tree. """ https://tools.ietf.org/html/rfc1591 So I think that permitting a ccTLD would be allowed by the letter of the BRs, if the applicant is actually a representative of the relevant national administrator. That said, I would be OK with updating the policy to be stricter. If we want to rule out ccTLDs, would we also want rule out things on the PSL in general? It seems like if a name is a public suffix, then it doesn't really make sense to allow non-disclosed subordinates under the "you can only hurt yourself" rule. --Richard On Tue, Nov 10, 2015 at 3:08 PM, Kathleen Wilson <[email protected]> wrote: > All, > > I have been asked to consider updating Mozilla's CA Certificate Policy to > clarify that a ccTLD is not acceptable in permittedSubtrees for technically > constraining subordinate CA certs. > > In section 7.1.5 of version 1.3 of the Baseline Requirement it says: > "(a) For each dNSName in permittedSubtrees, the CA MUST confirm that the > Applicant has registered the dNSName or has been authorized by the domain > registrant to act on the registrant's behalf in line with the verification > practices of section 3.2.2.4." > > And in > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > section 9 says: "For each dNSName in permittedSubtrees, the issuing CA > MUST confirm that the subordinate CA has registered the dNSName or has been > authorized by the domain registrant to act on the registrant’s behalf. Each > dNSName in permittedSubtrees must be a registered domain (with zero or more > subdomains) according to the Public Suffix List algorithm." > > I don't see how a CA could confirm that the subordinate owns/controls all > of the domains for a ccTLD (e.g. *.uk). So, it seems to me that any > subordinate CA that has a ccTLD in permittedSubtrees does not meet the BR > or Mozilla requirements regarding being technically constrained. > > So, should we specifically state (in the requirements regarding a subCA > being technically constrained) that permittedSubtrees cannot contain a > ccTLD? > > Kathleen > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
