Public Suffix List and DBOUND (was: Certs for subdomains without the domain owner’s permission Issuance Policy)

noloader · November 26, 2015, 5:19pm

Continuing the discussion from Certs for subdomains without the domain owner's permission:

Certs for subdomains without the domain owner's permission

Let's Encrypt differs from other CAs with regards to issuing certificates for subdomains/hostnames without permission given by the domain owner (see Can I secure a sub domain even if I don't own the main domain? · Issue #455 · certbot/certbot · GitHub ).

For example if I am on dialup on the "example" ISP, I can get a certificate for
dialup123.example.com even though example.com is owned by my ISP and he hasn't given me permission.

I think there needs to be a way for domain owners to prevent this. Perhaps it could be done in DNS using a TXT record?

For domains with such a TXT record there would have to be an additional check, for example using the contact data given in WHOIS or using the domain name without any subdomains/hostname before a certificate is issued.

What do you think? I'm sure this issue has already been considered?

This is a question of domain administrative boundaries. There are a number instance problems (each with a nuance), like Proxy/Interception certificates issued against *.COM and *.NET, and email SmartHosts that receive mail on behalf of an organization.

The browser and CAs use the Public Suffix List (PSL) in an attempt to determine the administrative boundaries.

The IETF's Domain Boundaries (DBOUND) Working Group is attempting to tackle the problem. They have not produced a deliverable at this point.