Based on input from Doug and Wayne, here are the proposed changes. In section 4.2.2 remove: CAs SHOULD NOT issue Certificates containing a new gTLD under consideration by ICANN. Prior to issuing a Certificate containing an Internal Name with a gTLD that ICANN has announced as under consideration to make operational, the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly registers the Domain Name. When a gTLD is delegated by inclusion in the IANA Root Zone Database, the Internal Name becomes a Domain Name, and at such time, a Certificate with such gTLD, which may have complied with these Requirements at the time it was issued, will be in a violation of these Requirements, unless the CA has verified the Subscriber’s rights in the Domain Name. The provisions below are intended to prevent such violation from happening.
Within 30 days after ICANN has approved a new gTLD for operation, as evidenced by publication of a contract with the gTLD operator on [www.ICANN.org] each CA MUST (1) compare the new gTLD against the CA’s records of valid certificates and (2) cease issuing Certificates containing a Domain Name that includes the new gTLD until after the CA has first verified the Subscriber's control over or exclusive right to use the Domain Name in accordance with Section 3.2.2.4. Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the Domain Name. In section 4.2.2 replace above with: No stipulation. In section 7.1.4.2.1 remove: As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name. In section 7.1.4.2.1 replace above with: The CA SHALL NOT issue a certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. From: Management [mailto:[email protected]] On Behalf Of Wayne Thayer Sent: November 30, 2017 3:05 PM To: [email protected] Subject: [EXTERNAL]Re: [cabfman] Cleanup for Non-registered Domains To avoid any confusion or loopholes, I think we should leave the following statement in one of these sections: the CA SHALL NOT issue a certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Also, can we please move this discussion to the Public list? Wayne On Thu, Nov 30, 2017 at 12:23 PM, Doug Beattie via Management <[email protected]<mailto:[email protected]>> wrote: Is the intent to put “No Stipulation” as the content for section 4.2.2 since the text to be deleted is the entire content for that section? I think it should. The edit to 7.1.4.2.1 is to delete only one paragraph, and I agree that should be deleted. From: Management [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Bruce Morton Sent: Thursday, November 30, 2017 2:10 PM To: [email protected]<mailto:[email protected]> Subject: [cabfman] FW: Cleanup for Non-registered Domains The following was reviewed by the Validation Working Group and there were no objections in proposing this change. Would like to know if there is any other feedback before proposing a ballot. Thanks, Bruce. From: Validation [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Bruce Morton via Validation Sent: November 2, 2017 4:10 PM To: CA/Browser Forum Validation WG List <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL][cabf_validation] Cleanup for Non-registered Domains Sections 4.2.2 and 7.1.4.2.1 deal with non-registered domain names and reserved IP addresses. Since CAs are not allowed to issue these certificates since November 2015 and all outstanding certificates should have been revoked as of October 2016, I think this related information can be deleted from the BRs. For reference. Section 4.2.2 states: CAs SHOULD NOT issue Certificates containing a new gTLD under consideration by ICANN. Prior to issuing a Certificate containing an Internal Name with a gTLD that ICANN has announced as under consideration to make operational, the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly registers the Domain Name. When a gTLD is delegated by inclusion in the IANA Root Zone Database, the Internal Name becomes a Domain Name, and at such time, a Certificate with such gTLD, which may have complied with these Requirements at the time it was issued, will be in a violation of these Requirements, unless the CA has verified the Subscriber’s rights in the Domain Name. The provisions below are intended to prevent such violation from happening. Within 30 days after ICANN has approved a new gTLD for operation, as evidenced by publication of a contract with the gTLD operator on [www.ICANN.org<http://www.ICANN.org>] each CA MUST (1) compare the new gTLD against the CA’s records of valid certificates and (2) cease issuing Certificates containing a Domain Name that includes the new gTLD until after the CA has first verified the Subscriber's control over or exclusive right to use the Domain Name in accordance with Section 3.2.2.4. Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org<http://www.icann.org>], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the Domain Name. Section 7.1.4.2.1 states: As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name. Does this make sense? Thanks, Bruce. _______________________________________________ Management mailing list [email protected]<mailto:[email protected]> https://cabforum.org/mailman/listinfo/management
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
