I have wanted to fix this ever since we discovered it at a previous employer.
-Tim From: Validation <[email protected]> On Behalf Of Corey Bonnell via Validation Sent: Tuesday, August 22, 2023 5:13 PM To: CABforum3 <[email protected]> Subject: [cabf_validation] Publicly Trusted TLS certs with .arpa domains Hello, In reviewing the project board [1] for our group, I did some investigation into the "On Deck" item for validation requirements for .arpa domains [2]. It turns out that according to Censys, there are currently no unexpired and publicly trusted certificates have been issued with a .arpa domain name [3]. When the topic of prohibiting such issuance was raised several years ago, there was some pushback as there were several thousand valid certificates with .arpa domain names at the time. However, given that there is potentially no ecosystem impact on prohibiting the issuance of such certificates now, perhaps can we proceed with a short and simple ballot that establishes such a prohibition. If others agree, I'd be willing to draft such a ballot. Or, if someone would like to develop the proposal, that's perfectly fine too. Thanks, Corey [1] https://github.com/orgs/cabforum/projects/1/views/1<https://url.avanan.click/v2/___https:/github.com/orgs/cabforum/projects/1/views/1___.YXAzOmRpZ2ljZXJ0OmE6bzo4YWU2M2M4MWRkNTBjZWRhZTI0YjNlZTgwMzI4NDQ5Yjo2OmRhNmE6ZmNlZDM0NTg5OGMxZWUwZDRkZjgyZDg2NWIwNmIyNDRhMWI5N2ExZDgxOGNlNGNkMmU4YjM5Nzk1ZjA0MDYwNjpoOkY> [2] https://github.com/cabforum/servercert/issues/153<https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/issues/153___.YXAzOmRpZ2ljZXJ0OmE6bzo4YWU2M2M4MWRkNTBjZWRhZTI0YjNlZTgwMzI4NDQ5Yjo2OjIwYWU6YjUyYzUyMmFjNjdjNjFkYzUzMjMxMDNmZTI5YmJjMDljN2RmMzEzMjNhMjlhNjNmMTNmYmRlNDM3ZmVlYzJhNTpoOkY> [3] https://search.censys.io/search?resource=certificates&q=parsed.extensions.subject_alt_name.dns_names%3A%2F.%2B%5C.arpa%2F+and+parsed.validity_period.not_after%3A%5B2023-08-22+TO+*%5D<https://url.avanan.click/v2/___https:/search.censys.io/search?resource=certificates&q=parsed.extensions.subject_alt_name.dns_names%3A%2F.%2B%5C.arpa%2F+and+parsed.validity_period.not_after%3A%5B2023-08-22+TO+*%5D___.YXAzOmRpZ2ljZXJ0OmE6bzo4YWU2M2M4MWRkNTBjZWRhZTI0YjNlZTgwMzI4NDQ5Yjo2OmJkMmI6YTJkNjBiZDBkNzNiZTNmYWYzYTBlYTkxMjM5NzAxZTZmNmZiYzA0MDllZmYxZmRlN2FhZTdiYTI4MDc1ZDY5YTpoOkY>
_______________________________________________ Validation mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/validation
