Public Suffix List and DBOUND (was: Certs for subdomains without the domain owner’s permission Issuance Policy)

Continuing the discussion from Certs for subdomains without the domain owner's permission:

This is a question of domain administrative boundaries. There are a number instance problems (each with a nuance), like Proxy/Interception certificates issued against *.COM and *.NET, and email SmartHosts that receive mail on behalf of an organization.

The browser and CAs use the Public Suffix List (PSL) in an attempt to determine the administrative boundaries.

The IETF's Domain Boundaries (DBOUND) Working Group is attempting to tackle the problem. They have not produced a deliverable at this point.

1 Like