[dns-operations] Private domains, X.509 certificates, and CAA records
jim at rfc1035.com
Fri Sep 22 11:52:01 UTC 2017
> On 22 Sep 2017, at 12:29, Tony Finch <dot at dotat.at> wrote:
> James Stevens <James.Stevens at jrcs.co.uk> wrote:
>> If there was some "official" way to create private TLDs, then its possible the
>> certificate authorities would be happy to start issuing certs for them.
> No, they won't, because it would create vulnerabilities by allowing one
> organization to get certificates corresponding to internal names within a
> different organization. The CAs have to prevent name collisions, which
> requires a global registration system, such as the public DNS.
Indeed. Around the time of the name collision studies (2013/4?) ISTR some hearsay that the CAB Forum was going to get its members to only issue cerificates for registered domain names. I think there was considerable pain because certs for .corp (or whatever) were going to have to be killed because of the potential conflict with that TLD if ICANN created it. So the CAB Forum resolved not to let that happen again.
OTOH I may well have imagined that.
More information about the dns-operations