[cabfpub] Ballot 202 - Underscore and Wildcard Characters

Geoff Keating geoffk at apple.com
Tue Jul 25 14:46:57 MST 2017



> On Jul 25, 2017, at 1:01 PM, Peter Bowen <pzb at amzn.com> wrote:
> 
> 
>>> On Jul 25, 2017, at 12:25 PM, Geoff Keating <geoffk at apple.com> wrote:
>>> 
>>> 
>>> On 25 Jul 2017, at 12:01 pm, Peter Bowen via Public <public at cabforum.org> wrote:
>>> 
>>> Erwann,
>>> 
>>> Thank you for your detailed feedback and I appreciate you providing context for your vote.
>>> 
>>> With regards to reserved IP addresses, the definition in the current BRs allows a CA to deliver a certificate for 192.0.0.9.  They also allow a CA to deliver a certificate for 192.168.1.1.  This is because the current language (which has been in the BRs since at least V1) says “Reserved IP Address” is only defined by the whole /8 being reserved.  This means only 0/8, 10/8, 127/8 and 224/3 are currently Reserved IP v4 addresses.  While I agree we may be able to further restrict issuance, this ballot covers the common cases.
>> 
>> That’s not what the language says… the new language says
> 
> By “current” language I meant the language in BR 1.4.9, which says:
> 
> Reserved IP Address: An IPv4 or IPv6 address that the IANA has marked as reserved: 
> http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
> http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
> 
> This is the language that only reserves /8 or larger ranges for IP v4.

I don’t see the part of that which is limited to large ranges?  The definition says ‘address’, not ‘address range’ implying each address is considered individually.  The URLs no longer resolve.

>>>>> F. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Reserved IP Address" with the following: An IPv4 or IPv6 address that the IANA has "False" for Globally Reachable in either of the IANA Special-Purpose IP Address Registries: 
>>>>> 
>>>>> https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml or 
>>>>> 
>>>>> https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
>>>>> 
>> 
>> and the first of those links has 192.168.0.0/16 marked as ‘false’ for globally reachable.  Now, it’s true that 192.0.0.9/32 is marked ‘true’ for globally reachable, but I don’t think that anyone should be able to authenticate themselves as controlling that address, so no CA would issue a certificate containing that address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170725/5b533671/attachment-0001.html>


More information about the Public mailing list