[cabf_validation] Authentication for IP addresses

Doug Beattie doug.beattie at globalsign.com
Thu Nov 17 10:05:56 MST 2016 

For IP address validation, is there a reason we should not support all of the applicable DV methods in ballot 169?

Regardless, we’d like to keep:

-          3.2.2.4.2: Email, Fax, SMS, or Postal Mail to Domain Contact  (pulled from ARIN or similar system)  <Mostly just the Email, but other options might be useful>

-          3.2.2.4.3: Phone contact with IP address contact

-          3.2.2.4.5 Domain Authorization Document

-          3.2.2.4.6 Agreed-Upon Change to Website

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Bruce Morton via Validation
Sent: Thursday, November 17, 2016 11:17 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com>
Subject: [cabf_validation] FW: Authentication for IP addresses

FYI, previous input from Doug.

Bruce.

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Wednesday, August 24, 2016 4:52 PM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Subject: [cabf_validation] Authentication for IP addresses

Should we update section 3.2.2.5  so it better aligns with the new DV methods we just updated?

Current section:

1. Having the Applicant demonstrate practical control over the IP Address by making an agreed‐upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;
2. Obtaining documentation of IP address assignment from the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC);
3. Performing a reverse‐IP address lookup and then verifying control over the resulting Domain Name under Section 3.2.2.4; or
4. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant has control over the IP Address to at least the same level of assurance as the methods previously described.

Item 1 should be more like this:


1.       Confirming the Applicants control over the IP address by making an agreed upon change to the web site in accordance with the process defined in 3.2.2.4.6 (except replace FQDN with IP address)

Item 2 is probably OK

Item 3: Doing a reverse DNS look-up and then demonstrating domain control for that domain in accordance with any method in section 3.2.2.4 - is that still acceptable?

We should delete item 4 (any other method).

Doug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161117/8dda4bd0/attachment-0001.html>

More information about the Validation mailing list