[cabf_validation] Doubt on validation of IP addresses by CAs that are also

Ryan Sleevi sleevi at google.com
Fri Aug 7 08:04:26 MST 2020

On Fri, Aug 7, 2020 at 4:14 AM Adriano Santoni via Validation <
validation at cabforum.org> wrote:

> Ryan,
> thank you for your remarks, but I am not sure I fully understand your
> explanation.
> I never suggested that there are RIRs that are also CAs. And I am aware of
> the fact that domains are registered via a hierarchical organization of
> entities, ultimately by Registrars, while the thing is different for IP
> addresses, for which there is no real equivalent of a Registrar.
> Allow me to make a concrete example, just for me to understand better.
> Let's assume that a CA is also an ISP (Internet Service Provider) that
> manages a certain number of nets (ranges of IP addresses), as attested by
> the relevant RIR. In other words, this CA/ISP is the "responsible
> organization" for those ranges of IP addresses. Now, let's assume this CA
> also offers a range of hosting services, among which server hosting with
> dedicated IP addresses. In such case, the CA/ISP knows for certain, based
> on its records, which customers have bought such service and (therefore)
> controls which IP addresses. No-one else, in fact, has such knowledge but
> the CA/ISP itself.
> If I am not mistaking, you say that even in this case, the records of the
> CA/ISP (the contracts for server hosting with dedicated IP addresses) are
> Not a valid proof that a certain customer controls certain IP addresses;
> did I understand correctly?

Yes, it is absolutely not correct or sufficient.

This is no different than a CA saying "Well, we know we own the domain
name" and skipping domain validation: that would be misissuance, and *not*
something allowed in only applies if you are the Registrar (i.e. contracted and
registered with ICANN), not simply the Registrant. So you can't just issue
certs for whatever host name because your customer happens to host with
you: mere hosting doesn't make you a contractually regulated Registrar.
Because there is no equivalent of Registrars within the RIR space, of
course it makes sense that doesn't have an equivalent.

> Adriano
> Il 04/08/2020 17:13, Ryan Sleevi ha scritto:
> Adriano: Are you aware of any RIRs that are also CAs? I'm not sure I am,
> and the only applies if the CA is the Registrar, which is the
> equivalent function (approximately) within DNS as the RIR within the IP
> address space*.
> If you take your description and apply its counterpart to DNS, we would
> say:
> "If a CA is also a domain name registrant and is managing its own domains,
> the CA can know with certainty that the Applicant controls its domain name."
> Which we'd quickly see as silly, because that would bypass any domain
> validation at all!
> Methods / allow you to retrieve the relevant AS
> records from the RIR and use that to perform the validation activities.
> However, because the AS records are maintained by the RIR, unless you are
> the RIR, you can't correctly implement an "Authorization to manage the AS
> record is authorization to issue" (akin to the method you
> mention) without some demonstration of proof you can manage the AS record -
> which is what / are trying to work around.
> Not sure if any of this made sense, but hopefully?
> * Yes, this blurs the registrar / registry distinction, but the RIRs don't
> subdelegate the master registration functions in the way the DNS
> registrar/registry split does, and everyone working with the RIR is
> effectively a direct registrant.
> On Tue, Aug 4, 2020 at 5:14 AM Adriano Santoni via Validation <
> validation at cabforum.org> wrote:
>> Hi all,
>> I have a doubt regarding the validation of IP addresses.
>> Maybe I am just overlooking some word or sentence in the BR that solves
>> my doubt, but right now I just cannot see it.
>> Among the methods allowed by the BR for the validation of domains, we
>> have method #12:
>> " Validating Applicant as a Domain Contact
>> Confirming the Applicant's control over the FQDN by validating the
>> Applicant is the Domain Contact. This method may only be used if the CA is
>> also the Domain Name Registrar, or an Affiliate of the Registrar, of the
>> Base Domain Name."
>> If I am not overlooking anything, it seems that we do not have a similar
>> method for IP addresses, and my doubt is then "why".
>> If a CA is also an Autonomous System and is directly managing a dedicated
>> server - on a specific IP address - for the Applicant, the CA knows with
>> certainty that the Applicant controls such IP address, based on its
>> records.
>> TIA for any hints and remarks,
>> Adriano
>> _______________________________________________
>> Validation mailing list
>> Validation at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/validation
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200807/8fbc444b/attachment-0001.html>

More information about the Validation mailing list