[cabf_validation] Doubt on validation of IP addresses by CAs that are also

Ryan Sleevi sleevi at google.com
Tue Aug 4 08:13:12 MST 2020


Adriano: Are you aware of any RIRs that are also CAs? I'm not sure I am,
and the 3.2.2.4.12 only applies if the CA is the Registrar, which is the
equivalent function (approximately) within DNS as the RIR within the IP
address space*.

If you take your description and apply its counterpart to DNS, we would say:
"If a CA is also a domain name registrant and is managing its own domains,
the CA can know with certainty that the Applicant controls its domain name."

Which we'd quickly see as silly, because that would bypass any domain
validation at all!

Methods 3.2.2.5.2 / 3.2.2.5.5 allow you to retrieve the relevant AS records
from the RIR and use that to perform the validation activities. However,
because the AS records are maintained by the RIR, unless you are the RIR,
you can't correctly implement an "Authorization to manage the AS record is
authorization to issue" (akin to the 3.2.2.4.12 method you mention) without
some demonstration of proof you can manage the AS record - which is what
3.2.2.5.2 / 3.2.2.5.5 are trying to work around.

Not sure if any of this made sense, but hopefully?

* Yes, this blurs the registrar / registry distinction, but the RIRs don't
subdelegate the master registration functions in the way the DNS
registrar/registry split does, and everyone working with the RIR is
effectively a direct registrant.

On Tue, Aug 4, 2020 at 5:14 AM Adriano Santoni via Validation <
validation at cabforum.org> wrote:

> Hi all,
>
> I have a doubt regarding the validation of IP addresses.
>
> Maybe I am just overlooking some word or sentence in the BR that solves my
> doubt, but right now I just cannot see it.
>
> Among the methods allowed by the BR for the validation of domains, we have
> method #12:
>
> "3.2.2.4.12 Validating Applicant as a Domain Contact
>
> Confirming the Applicant's control over the FQDN by validating the
> Applicant is the Domain Contact. This method may only be used if the CA is
> also the Domain Name Registrar, or an Affiliate of the Registrar, of the
> Base Domain Name."
>
> If I am not overlooking anything, it seems that we do not have a similar
> method for IP addresses, and my doubt is then "why".
>
> If a CA is also an Autonomous System and is directly managing a dedicated
> server - on a specific IP address - for the Applicant, the CA knows with
> certainty that the Applicant controls such IP address, based on its
> records.
> TIA for any hints and remarks,
>
> Adriano
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200804/fddb87a3/attachment-0001.html>


More information about the Validation mailing list