Closed Bug 567193 Opened 12 years ago Closed 6 years ago

Enforce Mozilla CA Policy requirement section 7


(NSS :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: eddy_nigg, Assigned: kwilson)


The Mozilla CA Policy section 7 which calls for the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate which is currently not enforced.

Bug 526560 and other discussions suggest to lay out a plan to enforce this requirement.
<>, Section 7:
> verify that the entity submitting the certificate signing request has
> registered the domain(s) referenced in the certificate or has been
> authorized by the domain registrant to act on the registrant's behalf;

This explicitly asks that the domain is registered.

Internal hostnames like "www", "intranet" or "mail.local" cannot be registered, therefore they are excluded from certified.

So far for the rules, the policy is clear as-can-be on that.


This also has security implications: If certs for "www" are issued to anybody, the cert would have no value. If company A gets a cert for "www", person B can get one as well. Assuming person per can intercept wire traffic in company A, person B can then impersonate the server "www" and read SSL traffic in cleartext, without anybody noticing, because person B's cert is valid for company A's server "www".
If you say that person B cannot intercept traffic in company A: That is precisely the scenario that SSL tries to protect from. So the SSL certificate protection is useless, the SSL guarantees do not hold.

Use "" as internal host (including a cert for "") and let people bookmark it.
That *is* as secure as SSL is.
I would say it's very simple:

1) the domain/hostname being used in the certificate MUST reside under a valid TLD, i.e. .com,, etc. This also ensures that it is globally unique (as opposed to "company-name.internal" or "www") - assuming a registrar doesn't sell a domain name more than once (who knows...). 

Actually that's about all I can think of for now, if a CA can't establish this then chances are they are doing much if any checks at all.
I'll copy what I said in bug 526560 :
Even if it were considered adequate to issue to certificate for a TLD that is known to be non-public, RFC2606 defines that they are *only* 4 values ".test", ".example", ".invalid", ".localhost" that are actually garanteed to never become a public TLD. Any other choice could become a valid TLD at any point in time.

Therefore, only those 4 values can be safely used for a non-public TLD, which means there's little point in doing it.
Jean-Marc, I wonder which protection any of these would give you if your neighbor can get the exact same host name for his certificate too. There is a reason only REGISTERED domains are permitted in the Mozilla CA policy.
Product: → NSS
You need to log in before you can comment on or make changes to this bug.