Ryan, On 4/7/22 20:26, Ryan Sleevi wrote:
Given that public suffices are an unfortunate fiction invented by browsers, it'd be doubly unfortunate to codify it in an IETF doc.
FWIW, the notion is already codified in RFC 7489 (Section 3.2) and RFC 9091 (in the title, albeit experimental).
So, in practice, a CA using this spec and conforming to the CA/Browser Forum BRs will refuse to issue such a certificate.
Great.
However, this is a convenient fiction in separation: the DNS admin of eu.org <http://eu.org> can, at any time, remove de.eu.org <http://de.eu.org> from the public suffix list, as they are the parent authority. In that sense, they have the full technical capability to cause issuance.
Sure. However, if the relevant part of the DNS space is, at the time of certificate issuance, separated into different realms of authority (e.g., as indicated by a PSL entry), then IMO an issuance protocol that allowed skipping the corresponding check is broken. But as you said, the "CA-side protocol" (CAB Forum BRs) already has provisions. I just didn't know whether these would also apply to the new "ACME subdomains" protocol extension; your message implies that they do. IMO, authorization of changes to separation indicators such as the PSL is out of scope for the issuance protocol.
The requirement of public suffix separation is _primarily_ a holdover from when every validation method was treated equally by CAs (e.g. the use of HTTP to approve a wildcard domain, without demonstrating DNS-based control). With the new separations that restrict such broadening,
Which? ~Peter -- https://desec.io/ _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
