[cabfpub] Ballot 202 - Underscore and Wildcard Characters
geoffk at apple.com
Tue Jul 25 14:46:57 MST 2017
> On Jul 25, 2017, at 1:01 PM, Peter Bowen <pzb at amzn.com> wrote:
>>> On Jul 25, 2017, at 12:25 PM, Geoff Keating <geoffk at apple.com> wrote:
>>> On 25 Jul 2017, at 12:01 pm, Peter Bowen via Public <public at cabforum.org> wrote:
>>> Thank you for your detailed feedback and I appreciate you providing context for your vote.
>>> With regards to reserved IP addresses, the definition in the current BRs allows a CA to deliver a certificate for 188.8.131.52. They also allow a CA to deliver a certificate for 192.168.1.1. This is because the current language (which has been in the BRs since at least V1) says “Reserved IP Address” is only defined by the whole /8 being reserved. This means only 0/8, 10/8, 127/8 and 224/3 are currently Reserved IP v4 addresses. While I agree we may be able to further restrict issuance, this ballot covers the common cases.
>> That’s not what the language says… the new language says
> By “current” language I meant the language in BR 1.4.9, which says:
> Reserved IP Address: An IPv4 or IPv6 address that the IANA has marked as reserved:
> This is the language that only reserves /8 or larger ranges for IP v4.
I don’t see the part of that which is limited to large ranges? The definition says ‘address’, not ‘address range’ implying each address is considered individually. The URLs no longer resolve.
>>>>> F. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Reserved IP Address" with the following: An IPv4 or IPv6 address that the IANA has "False" for Globally Reachable in either of the IANA Special-Purpose IP Address Registries:
>>>>> https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml or
>> and the first of those links has 192.168.0.0/16 marked as ‘false’ for globally reachable. Now, it’s true that 184.108.40.206/32 is marked ‘true’ for globally reachable, but I don’t think that anyone should be able to authenticate themselves as controlling that address, so no CA would issue a certificate containing that address.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public