[cabfpub] Ballot 202 - Underscore and Wildcard Characters

Peter Bowen pzb at amzn.com
Tue Jul 25 13:01:44 MST 2017

> On Jul 25, 2017, at 12:25 PM, Geoff Keating <geoffk at apple.com> wrote:
>> On 25 Jul 2017, at 12:01 pm, Peter Bowen via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>> Erwann,
>> Thank you for your detailed feedback and I appreciate you providing context for your vote.
>> With regards to reserved IP addresses, the definition in the current BRs allows a CA to deliver a certificate for  They also allow a CA to deliver a certificate for  This is because the current language (which has been in the BRs since at least V1) says “Reserved IP Address” is only defined by the whole /8 being reserved.  This means only 0/8, 10/8, 127/8 and 224/3 are currently Reserved IP v4 addresses.  While I agree we may be able to further restrict issuance, this ballot covers the common cases.
> That’s not what the language says… the new language says

By “current” language I meant the language in BR 1.4.9, which says:

Reserved IP Address: An IPv4 or IPv6 address that the IANA has marked as reserved: 
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml <http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml>
http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml <http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml>

This is the language that only reserves /8 or larger ranges for IP v4.
>>>> F. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Reserved IP Address" with the following: An IPv4 or IPv6 address that the IANA has "False" for Globally Reachable in either of the IANA Special-Purpose IP Address Registries: 
>>>> https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml <https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml> or 
>>>> https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml <https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml>
> and the first of those links has marked as ‘false’ for globally reachable.  Now, it’s true that is marked ‘true’ for globally reachable, but I don’t think that anyone should be able to authenticate themselves as controlling that address, so no CA would issue a certificate containing that address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170725/f0cc68b0/attachment.html>

More information about the Public mailing list