[cabfpub] =?gb2312?B?UkU6IFF1ZXN0aW9uIDQgqEMgRG9tYWluIFZhbGlkYXRpb24gcHJlLWJhbGxv?= =?gb2312?Q?t?=

Doug Beattie doug.beattie at globalsign.com
Thu Nov 19 00:41:59 UTC 2015 

Kirk - we can still issue certificates to public IP addresses (not Reserved
IP addresses or Internal names).



Doug



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Wednesday, November 18, 2015 6:38 PM
To: CABFPub (public at cabforum.org) <public at cabforum.org>
Subject: [cabfpub] FW: Question 4 - Domain Validation pre-ballot



Wayne Thayer said he tended to agree with Peter Bowen’s comments, and
suggested the following changes:

(1)    Change “Authorization Domain” in this section to “FQDN”, so
Method 8 would read as follows:

8. Having the Applicant demonstrate control over the requested FQDN by the
CA confirming that the Applicant controls an IP address returned from a DNS
lookup for A or AAAA records for the Authorization Domain Name  FQDN in
accordance with section 3.2.2.5



(2)  As a separate matter Wayne said:



“Also, section 3.2.2.5 includes a practical control method that we should
consider updating to match the new method 6 and an “any other method”
option that we should consider removing as part of this ballot.”



Here is what Sec. 3.2.2.5 says now, with some language underlined for
discussion.  [Question from Kirk - now that we can no longer issue public
certs for IP Addresses, should we simply DELETE BR 3.2.2.5 now?]



3.2.2.5. Authentication for an IP Address

For each IP Address listed in a Certificate, the CA SHALL confirm that, as
of the date the Certificate was issued, the Applicant has control over the
IP Address by:

1. Having the Applicant demonstrate practical control over the IP Address by
making an agreed‐upon change to information found on an online Web page
identified by a uniform resource identifier containing the IP Address;

2. Obtaining documentation of IP address assignment from the Internet
Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE,
APNIC, ARIN, AfriNIC, LACNIC);

3. Performing a reverse‐IP address lookup and then verifying control over
the resulting Domain Name under Section 3.2.2.4; or

4. Using any other method of confirmation, provided that the CA maintains
documented evidence that the method of confirmation establishes that the
Applicant has control over the IP Address to at least the same level of
assurance as the methods previously described.

Note: IPAddresses may be listed in Subscriber Certificates using IPAddress
in the subjectAltName extension or in Subordinate CA Certificates via
IPAddress in permittedSubtrees within the Name Constraints extension.







From: Kirk Hall (RD-US)
Sent: Thursday, November 12, 2015 5:08 PM
To: CABFPub (public at cabforum.org <mailto:public at cabforum.org> )
Subject: Question 4 - Domain Validation pre-ballot



Question 4 - Domain Validation pre-ballot



Again, Peter Bowen of Amazon did not submit specific new language, but posed
the following comment about new Method No. 8 shown below:



Proposal 4: In line K of current draft (Method No. 8)



“Conversely, in item K, using Authorization Domain seems inappropriate.
Just because I control the IP address of corp.example.com
<http://corp.example.com>  doesn't mean I have control
payments.corp.example.com <http://payments.corp.example.com> .”



Here is the current Ballot language for Method No. 7:



[Current Ballot language]



8. Having the Applicant demonstrate control over the requested FQDN by the
CA confirming that the Applicant controls an IP address returned from a DNS
lookup for A or AAAA records for the Authorization Domain Name in accordance
with section 3.2.2.5; or



On the call today, Wayne Thayer thought he agreed with Peter’s comment, and
offered to come up with revised ballot language on this issue.  There was no
other discussion.



Question for Discussion: Should proving domain control for an SLDN (Base
Domain) or a FQDN by showing the applicant controls an IP address returned
from a DNS lookup for A or AAAA records be sufficient to show domain control
for all higher level FQDNs also?





To Peter Bowen: If you want to comment on this issue, please email to me and
I will post to the Public list.






TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151119/6902e1fb/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151119/6902e1fb/attachment-0001.p7s>

More information about the Public mailing list