One FUD issue some people keep regurgitating to keep us from being included in browsers is they worry about us issuing certificates for the likes of, most people pushing this line tend to neglect to mention that issuing a certificate on it’s own is mostly useless, unless you can attack the host file on a users computer or the DNS name system, in which case there is bigger problems then falsely issued SSL certificates, especially since most phishing attacks (which is the assumption likely to abuse this) don’t even resort to using SSL.

Currently we require people to have code signing access before issuing IDN/punycode domain/email certificates, and it has been suggested that we have a similar requirement for anyone requesting certificates for high profile sites.

One way to determine popularity is by sites like which give out rankings.

I guess the question is how popular must a site be if we want to enforce this, and over what time period?

Another concern is with large organisations as a lot of departments inside these organisations run their own sub-domain and the TLD is handled usually by the main IT department, and this could be cause for concern if someone registers the TLD and starts getting certificates for either the entire organisation or for sub-domains they shouldn’t be allowed to control, this is usually controlled by an organisations IT policy, but this call also lead to someone intercepting traffic by setting up a reverse proxy, and there is questions hanging over this as it will potentially effect legit users one way or another.

3 thoughts on “Conundrum

  1. iang

    On your latter point: there is no concern by definition with a domain owner issuing a wildcard cert for sub domains. The own the domain, they are authoritive. They can do whatever they like in their domain.

    Literally, the PKI and the technical community cannot and should not do anything to break the ability of a domain owner – whether it be a TLD or a lower level domain – to manage and run their own domain as they choose.

  2. Duane Post author

    But the question is how do you define a domain.

    Someone has registered and sells sub-domains, should they control certs for sub-domains?

  3. iang

    No, they don’t control certs, nobody controls certs. Certs are uncontrolled by definition, by mathematics, and there is no single root.

    Whereas domains are controlled and hierarchical by definition as they have a single root. This is the legacy of the domain space created back in the 80s and now controlled by ICANN via the root servers. It is hierachical and what you do inside your domain is totally your decision, once you have acquired the domain, subject to whatever controls are imposed by whoever gave you the domain.

    Now, whether you can exercise some control over certs that purport to effect their domain is an untested question. Anyone can make a statement, and turn that into a signed statement; and it is ultimately a matter for the courts to decide if those statements represent a problem. On the face of it, anyone can make a statement, so the onus would be on you.

    In the specific case of whether I as a CA can issue a cert for, I doubt you could stop it. You could however sue me out of existance *iff* you could show that I was doing so fraudulently. But the case there is fraud, not cert issuance. Which is to say that there exist adequate precedents and legal theories to control real harms without needing to exercise “control” for the sake of it.

    In sum, the answer is no. Nobody has any control over what certs are issued. Relying party beware.

Leave a Reply