What the ICANN SSAC Report Doesn’t Tell You

Friday March 22, 2013

The CA Security Council, which comprises seven of the largest CAs, read with interest the article titled, “Internal-use SSL certificates pose security risk for upcoming domain extensions.” As a group in one of the best positions to understand the impact of the new gTLDs on organizational security infrastructure and the Internet as a whole, we felt it appropriate to comment on this and related stories which summarize the ICANN Security and Stability Advisory Committee (SSAC) report sac 045 Invalid Top Level Domain Queries at the Root Level of the Domain Name System.

Although we agree with many of the concerns raised by the SSAC report, we believe the report failed to adequately recognize that the use of non-public domain extensions is fairly widespread and that the use extends well beyond digital certificates. In seeking to rapidly release new gTLDs, ICANN will create foreseeable security risks and quickly place a significant burden on organizations using internal networks. For many years, organizations of all types have relied on the availability of non-public domain extensions such as .mail, .corp, .local and others in their internal infrastructures. Despite the CAB Forum’s deprecation of internal server names, many entities continue to use .corp for internal network routing.

Use of private domain extensions is a common practice and was even touted as best practice only a few years ago. For two decades, organizations have used private domains to facilitate intranet communications. With ICANN planning to release hundreds of new domains, these organizations must scramble to modify their networks and operations, incurring a significant and unexpected cost. While some new gTLDs will have a lesser impact than others, the .corp extension is notably common and should not be released as a resolvable gTLD.

Since internal names create a potential security risk for enterprises using them, the CASC supports the CAB Forum in moving away from internal names and applauds the efforts of its members in setting a 2016 deadline for complete elimination of internal names. Considering the impact these new policies will have on many organizations, the 2016 phase-out period fairly balances the need for organizations to budget and prepare for this change. As of Nov. 1, 2015, all publicly trusted CAS will cease issuing certificates to internal names, giving organizations three years to explore alternatives, upgrade existing hardware and software, and reconfigure their networks. Unfortunately, ICANN has ignored many of these considerations in its approach toward releasing the new gTLDS, effectively eliminating the ability of organizations to plan for and execute the necessary changes.

Many entities have already expressed concerns over these new domain names, including PayPal, the CASC, and CAB Forum. We strongly urge ICANN to consider the ramifications of its actions and show appropriate discretion in releasing new gTLDs, particularly in reference to the widely used .corp extension. We also urge other interested parties to share their opinions with ICANN at https://gtldcomment.icann.org/comments-feedback/programfeedback/login.

This article was originally published by the "CA Security Council". In 2021 the CASC was restructred and renamed to the "Public Key Infrastructure Consortium" shortly "PKI Consortium".

Learn more about the PKI Consortium
Participate in our community discussions and/or join the consortium