Continuing the discussion from
Certs for subdomains without the domain owner's permission:
Let’s Encrypt differs from other CAs with regards to issuing certificates for subdomains/hostnames without permission given by the domain owner (see
For example if I am on dialup on the “example” ISP, I can get a certificate for
dialup123.example.com even though
example.com is owned by my ISP and he hasn’t given me permission.
I think there needs to be a way for domain owners to prevent this. Perhaps it could be done in DNS using a TXT record?
For domains with such a TXT record there would have to be an additional check, for example using the contact data given in WHOIS or using the domain name without any subdomains/hostname before a certificate is issued.
What do you think? I’m sure this issue has already been considered?
This is a question of domain administrative boundaries. There are a number instance problems (each with a nuance), like Proxy/Interception certificates issued against
*.NET, and email SmartHosts that receive mail on behalf of an organization.
The browser and CAs use the
Public Suffix List (PSL) in an attempt to determine the administrative boundaries.
Domain Boundaries (DBOUND) Working Group is attempting to tackle the problem. They have not produced a deliverable at this point.