On Tue, November 10, 2015 12:15 pm, Richard Barnes wrote: > I understand the impulse here, but technically, ccTLDs are under the > control of specific administrators per country: > > """ > The country code domains (for example, FR, NL, KR, > US) are each organized by an administrator for that country. These > administrators may further delegate the management of portions of the > naming tree. > """ > https://tools.ietf.org/html/rfc1591 > > So I think that permitting a ccTLD would be allowed by the letter of the > BRs, if the applicant is actually a representative of the relevant > national > administrator.
I agree with Richard on this point. If a CA has issued such a cert to an applicant that they didn't vet as being the authorized representative of the relevant national administrator, then that's arguably no different than issuing a cert to someone who isn't the authorized domain holder - that is, it's misissuance. I'm not keen to spell out all the ways for CAs to not misissue certificates, because it really shouldn't be that hard to... not misissue certs ;) > That said, I would be OK with updating the policy to be stricter. If we > want to rule out ccTLDs, would we also want rule out things on the PSL in > general? No, and the Baselines cover why. [1] [1] OK, well, they don't really cover why, they cover how. Given that ICANN has taken to printing money via Brand TLDs, in which a single organization can exert full control over such TLDs, and given that we treat TLDs as public suffices [2], that would prevent such certificates that are permissible under the BRs (and intentionally so. [2] That is, it takes explicit work to mark a TLD as *not* a public suffix, since the Algorithm from the PSL has *always* treated all TLDs as implicitly public suffices. > It seems like if a name is a public suffix, then it doesn't > really make sense to allow non-disclosed subordinates under the "you can > only hurt yourself" rule. I'd disagree as to whether that's even the purpose of the Public Suffix List, and while Gerv and I often haggle over the definitions of public suffices, I suspect we'd both agree to that :) Simple counterpoints is brand-TLDs (for the ICANN portion of the PSL) or Appspot / Azure [3] (for the private portion of the PSL). [3] Here, Appspot/Azure are on the PSL so they can enforce security origin separation in how browsers treat things such as cookies, storage quota, and user indicators, but they're entirely permissible to have certificates - or even name-constrained intermediates without disclosure/redaction, the same as any other registerable domain. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy