[dns-operations] Private domains, X.509 certificates, and CAA records

Patrik Fältström paf at frobbit.se
Fri Sep 22 12:11:59 UTC 2017


On 22 Sep 2017, at 13:52, Jim Reid wrote:

>> On 22 Sep 2017, at 12:29, Tony Finch <dot at dotat.at> wrote:
>>
>> James Stevens <James.Stevens at jrcs.co.uk> wrote:
>>>
>>> If there was some "official" way to create private TLDs, then its possible the
>>> certificate authorities would be happy to start issuing certs for them.
>>
>> No, they won't, because it would create vulnerabilities by allowing one
>> organization to get certificates corresponding to internal names within a
>> different organization. The CAs have to prevent name collisions, which
>> requires a global registration system, such as the public DNS.
>
> Indeed. Around the time of the name collision studies (2013/4?) ISTR some hearsay that the CAB Forum was going to get its members to only issue cerificates for registered domain names. I think there was considerable pain because certs for .corp (or whatever) were going to have to be killed because of the potential conflict with that TLD if ICANN created it. So the CAB Forum resolved not to let that happen again.
>
> OTOH I may well have imagined that.

Please see SSAC document SAC-057 on the issue: <https://www.icann.org/en/system/files/files/sac-057-en.pdf>

   Patrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170922/b43fd47b/attachment.sig>


More information about the dns-operations mailing list