On 24/11/17 12:25, Gervase Markham via dev-security-policy wrote:
On 24/11/17 11:37, Rob Stradling wrote:
When issuing a "single domain" certificate to (for example)
www.example.com or *.example.com, it's fairly common practice for CAs to
also include in the certificate a SAN.dNSName for the "base domain"
(e.g., example.com). (Similarly, if the certificate request is for
example.com, some CAs will add a SAN.dNSName for www.example.com).
IMO these two processes are not at all "similar".
The similarity I was talking about is that, in both cases, the CA
includes a dNSName in the cert that the subscriber did not explicitly
request.
Validate example.com -> add "www.example.com": seems fine to me, and a
reasonable accommodation to a common customer desire.
Validate www.example.com -> add "example.com": not at all fine.
Validate *.example.com -> add "example.com": still dodgy IMO.
I agree. However, my previous message in this thread concerned a
deficiency (since fixed) in Comodo's CAA checks, not Comodo's domain
validation checks.
I seem to remember we have come across this before, and I thought we
said it was not to be done. But perhaps that didn't make it into our
policy.
Yes, this has come up before. It was formerly Comodo's practice to...
"consider proof of control of 'www.<base_domain>' as also proving
control of '<base_domain>' (except where '<base_domain>' is a public
suffix)" [1]
Do we need to add it?
Now that only the "Ten Blessed Methods" of domain validation are
permitted, I think it's clear that it's "not to be done". (But feel
free to "add it" if you think it would be useful).
[1]
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04274.html
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
