[cabfpub] Proposed new ballot on IP Addresses in SANs

Richard Barnes rbarnes at mozilla.com
Thu Apr 21 15:20:24 UTC 2016


That seems pretty bogus.  In terms of attack against the SSL connection,
the whole point of the certificate is to remove the DNS as an attack
vector.  In terms of attack against the CA, aren't you don't the same
registry-based validation of IP addresses that you are for DNS names?

On Thu, Apr 21, 2016 at 11:12 AM, Tim Hollebeek <THollebeek at trustwave.com>
wrote:

> Regardless of whether this should be allowed for public certificate, it is
> worth noting that it is not uncommon to use IP addresses in certificates in
> order to to remove DNS as an attack vector.
>
> -Tim
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Rob Stradling
> Sent: Thursday, April 21, 2016 10:19 AM
> To: public at cabforum.org
> Cc: Rick Andrews
> Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs
>
> Why do we need to allow IP addresses in certs anyway?
>
> Are there actually any valid use cases where servers can't be addressed by
> domain names?
>
> On 21/04/16 15:04, Jeremy Rowley wrote:
> > We have and it's not practical. I'm encouraging the customers with the
> > issue to post to the forum to explain why.
> >
> >
> > Richard Barnes <rbarnes at mozilla.com> wrote:
> >
> > Jody, Rick: Have you guys evaluated Ryan's proposed solution?  It
> > seems a bit rash to be changing the BRs if there are compliant options
> that work.
> >
> > On Thu, Apr 21, 2016 at 9:30 AM, Jody Cloutier <jodycl at microsoft.com
> > <mailto:jodycl at microsoft.com>> wrote:
> >
> >     As a Forum member, Google is certainly within its purview to vote
> >     no, then. Let's put it to a vote and see where it comes down.
> >
> >
>  ------------------------------------------------------------------------
> >     *From:* Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com>>
> >     *Sent:* Thursday, April 21, 2016 6:24:55 AM
> >     *To:* Jody Cloutier
> >     *Cc:* Richard Barnes; Rick Andrews; public at cabforum.org
> >     <mailto:public at cabforum.org>
> >     *Subject:* Re: [cabfpub] Proposed new ballot on IP Addresses in
> > SANs
> >
> >
> >     On Thu, Apr 21, 2016 at 6:24 AM, Jody Cloutier <jodycl at microsoft.com
> >     <mailto:jodycl at microsoft.com>> wrote:
> >
> >         Simple - because we have customers who now need the
> >         functionality, and without this change we cannot give it to them.
> >
> >
> >     That's not correct - I gave a solution 8 months ago, fully compliant
> >     with the BRs, that would have allowed that behaviour to be given to
> >     them.
> >
> >
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > http://scanmail.trustwave.com/?c=4062&d=xOOY18SejsrPsLSFCwFp5d2qRC1dGS
> > OR7jNbJCyBdA&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2
> > fpublic
> >
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
>
> http://scanmail.trustwave.com/?c=4062&d=xOOY18SejsrPsLSFCwFp5d2qRC1dGSOR7jJfJCmEcQ&s=5&u=http%3a%2f%2fwww%2ecomodo%2ecom
>
> COMODO CA Limited, Registered in England No. 04058690 Registered Office:
>    3rd Floor, 26 Office Village, Exchange Quay,
>    Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed.  If you have received this email in error please notify the
> sender by replying to the e-mail containing this attachment. Replies to
> this email may be monitored by COMODO for operational or business reasons.
> Whilst every endeavour is taken to ensure that e-mails are free from
> viruses, no liability can be accepted and the recipient is requested to use
> their own virus checking software.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
>
> http://scanmail.trustwave.com/?c=4062&d=xOOY18SejsrPsLSFCwFp5d2qRC1dGSOR7jNbJCyBdA&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160421/65c613f2/attachment-0003.html>


More information about the Public mailing list