Ballot 96 – Wildcard Certificates and New gTLDs

Ballot overview

• Ballot 96, Wildcard Certificates and New gTLDs, was marked Passed on the ballot page.
• The motion was made by Jeremy Rowley and endorsed by Rick Andrews and Steve Roylance.
• The ballot adds new sections 11.1.3 and 11.1.4 to the Requirements.

Wildcard certificate requirements

• Before issuing a certificate with a wildcard character in a CN or subjectAltName of type DNS-ID, a CA must have a documented procedure to determine whether the wildcard is in the first label position to the left of a registry-controlled label or public suffix.
• If a wildcard would fall immediately to the left of a registry-controlled label or public suffix, the CA must refuse issuance unless the applicant proves control of the entire Domain Namespace.
• Examples given include that CAs must not issue *.co.uk or *.local, but may issue *.example.com to Example Co.
• CAs must revoke any valid certificate that does not comply with this section prior to September 1, 2013.

New gTLD requirements

• CAs should not issue certificates containing a new gTLD under consideration by ICANN.
• Before issuing a certificate containing an Internal Server Name with a gTLD that ICANN has announced as under consideration to make operational, the CA must warn the applicant that the gTLD may soon become resolvable and that the CA will revoke the certificate unless the applicant promptly registers the domain name.
• Within 30 days after ICANN has approved a new gTLD for operation, as evidenced by publication of a contract with the gTLD operator on ICANN.org, each CA must compare the new gTLD against its records of valid certificates and cease issuing certificates containing a domain name that includes the new gTLD until it has verified the Subscriber’s control over or exclusive right to use the domain name under Section 11.1.
• Within 120 days after publication of a contract for a new gTLD on ICANN.org, CAs must revoke each certificate containing a domain name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the domain name.

Timing

• The review period was scheduled to commence at 21:00 UTC on 6 February 2013 and close at 21:00 UTC on 13 February 2013.
• The voting period was scheduled to start immediately after the review period and close at 21:00 UTC on 20 February 2013.
• The evidence does not provide a separate discussion start or discussion end date beyond the review period language.
• The ballot text includes the compliance date prior to September 1, 2013 for revocation of noncompliant wildcard certificates.
• The ballot text also includes 30-day and 120-day deadlines tied to publication of a contract for a new gTLD.

Result

• The ballot page explicitly states Passed, and the evidence includes no exclusion notices or other contrary information.