On Fri, Jan 30, 2015 at 10:13:57PM -0800, Peter Bowen wrote: > On Fri, Jan 30, 2015 at 7:03 PM, Watson Ladd <[email protected]> wrote: > > On Fri, Jan 30, 2015 at 6:35 PM, Matt Palmer <[email protected]> wrote: > >> On Sat, Jan 31, 2015 at 02:01:45AM +0000, Jeremy Rowley wrote: > >>> Yeah - good points. We definitely don't want to see a ?.com cert logged. > >> > >> Actually, I'd be quite happy to see a precert for ?.com logged. It would > >> make it quite clear which CA is failing to play by the rules, which is, > >> after all, rather the point of CT. > > > > Backing up quite a bit: It's clear from the examples that the level at > > which you can safely truncate a domain and know that you are > > identifying a unique organization is extremely difficult to determine. > > I'm sure there is a list out there, but it may change. And when it > > changes, old software may suddenly either accept too many certs, or > > too few. > > > > I'm sure people have thought about this more than I have. > > Take a look at http://www.publicsuffix.org/ It is a formatted list > that attempts to document the split between shared (e.g. public) > portions of a fully qualified domain name and the registered (private) > portion. > > The new TLD rush is going to cause interesting issues, as there is a > concept of a ".brand" where the whole TLD represents one organization. > I think there is an argument these are not new (as .mil is effectively > a .brand for the US Department of Defense), but I'm sure that they > will be interesting from a processing perspective. ? anyone?
publicsuffix.org is what is recommended for CAs to use in determining whether to allow registration of a name, I believe. For the purposes of CT logs, specifically, though, I believe it's irrelevant. Logging a certificate shows what was issued, logging a precert shows what was intended to be issued. CT monitors should be watching for signs of inappropriate behaviour. Logging a precert such that the legitimate owner of *any* FQDN cannot determine with confidence that the unredacted precert could actually be for something in their namespace is an inappropriate behaviour. It's no different than logging a cert with an overly-broad wildcard, such as a sAN of `dNSName:*.com`. - Matt _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
