10

I can understand why one might desire to purchase a certificate for multiple years but I am left wondering why it appears to be possible to obtain a valid certificate for a domain that may have come under new ownership by way of registering for a short period, deleting and allowing the third party to re-register the name as planned. What's the deal here?

Adi
  • 43,808
  • 16
  • 135
  • 167
Squeak
  • 271
  • 1
  • 5
  • 1
    Does indeed sound broken, but it still seems like a minor issue compared to the huge number of CAs any of which could compromise your security by issuing a certificate they shouldn't have issued. – kasperd Jun 18 '15 at 08:00

1 Answers1

15

There's just no way to fix it. Even if the registration period is two years and a one year certificate is issued, you could still sell or drop the registration next week. There's nothing the certificate authority can do about that. (Well, I suppose they could monitor the registrations and if there's a change in registrant, they could revoke the certificate. I've never heard of any CA doing that though.)

David Schwartz
  • 4,203
  • 24
  • 21
  • Is there even a way for the registrar to discover which CA signed certificates for the domain, in order to announce the change of registration data? – curiousguy Jul 01 '12 at 15:15
  • 4
    No. I was suggesting the CA could monitor the registration. – David Schwartz Jul 01 '12 at 15:17
  • I guess I’m interested in the technical limitations behind this. Why can I buy a valid certificate that will be recognized by pretty much all major players valid for 5 years when my domain is only registered for 1? Everything about this seems shady. – Squeak Jul 02 '12 at 08:38
  • 6
    @Matt "_the technical limitations behind this._" The technical limitation is that **there is no minimum time before you loose control of a domain**, either by selling it to someone else, cancelling it, or if somebody else can contest your domain registration (f.ex. if you have provided incorrect information at registration time, someone could prove that your registration is not valid, so it would be cancelled). So maybe the certificate should only be valid for a few hours/minutes, before you get a chance to sell your domain. Maybe you should look at DNSSEC as an alternative. – curiousguy Jul 06 '12 at 23:39
  • 1
    There is however now strict rules on that in the CABForum BR document, section 4.9.1.1 about reasons to revoke a certificate, point 4 says "The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant's right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);" – Patrick Mevzek Mar 19 '20 at 17:47