<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-CN link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Thanks Ryan<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>It seems method 1 is the best approach , they do not have domain name, just IP.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Method 1 is very practical but for some company in China, business department that apply for this certificate needs many steps(take many days even weeks) to make the “agreed‐upon<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>change to information found on an online Web page”, so they are reluctant to make this “agreed‐upon change”.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>But anyway, we will request method 1 for them in this case for now. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>We will make more contact with Cloud Service Provider and ISPs in the future and try to find an easier approach for this case. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks again and regards.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Zhang Yi<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Certificate Division Competent<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>China Financial Certification Authority <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Business Department<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Address: 20-3 PingYuanLi,CaiShiKou South Avenue, XiCheng District, Beijing, P.R.China<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Postcode: 100054<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>TEL: <a href="tel:+86%2010%205095%205017" target="_blank"><span style='color:windowtext;text-decoration:none'>+86 010-50955017</span></a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Mobile: <a href="tel:+86%20185%201028%200028" target="_blank"><span style='color:windowtext;text-decoration:none'>+86 18510280028</span></a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Email: <a href="mailto:zhangyi@cfca.com.cn" target="_blank"><span style='color:windowtext;text-decoration:none'>zhangyi@cfca.com.cn</span></a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt'>发件人<span lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt'> Ryan Sleevi [mailto:sleevi@google.com] <br></span><b><span style='font-size:10.0pt'>发送时间<span lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt'> 2017</span><span style='font-size:10.0pt'>年<span lang=EN-US>1</span>月<span lang=EN-US>5</span>日<span lang=EN-US> 10:38<br></span><b>收件人<span lang=EN-US>:</span></b><span lang=EN-US> CA/Browser Forum Public Discussion List<br></span><b>抄送<span lang=EN-US>:</span></b><span lang=EN-US> Kirk.Hall; </span>张翼<span lang=EN-US>; </span>赵宇<span lang=EN-US>; </span>赵改侠<span lang=EN-US><br></span><b>主题<span lang=EN-US>:</span></b><span lang=EN-US> Re: [cabfpub] Discussion relate to IP address that belong to Cloud Service Provider.<o:p></o:p></span></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>Using the BRs 1.4.1 (e.g. setting aside the discussion of Ballots 180 - 182)<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>It would be helpful to step back and first evaluate what the Baseline Requirements require of the CA:<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Section 3.2.2.5 of the BRs notes the acceptable ways to validate control over an IP address.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Method 1 requires a practical demonstration of control - not documentation.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Method 2 requires documentation from IANA or the RIR - for which it sounds like the Applicant (a subscriber of the Cloud Service Provider's service) wouldn't be able to provide, because IANA/RIR's interaction were with the Cloud Service Provider. Of course, if the Cloud Service Provider isn't delegated the IP range (unlikely, given that they're a cloud provider, they likely are the RIR's point of contact and advertise that prefix over a variety of ISPs/ASes), they wouldn't be able to provide that documentation - but it sounds like Method 2 is a complete wash for your case (because Applicant != Cloud Service Provider)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Method 3 requires a practical demonstration of control - not documentation.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Method 4 is... well, it's 'any other method', but of note here is whether or not documentation from the Cloud Service Provider meets the bar set out in Method 2 (or the other methods). I would like to suggest that it does not.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>So to issue this certificate, it seems like your best, easiest, and avoiding any form of paper documentation would be to employ one of either method 1 or Method 3. Does that not work?<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></div><div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On Wed, Jan 4, 2017 at 6:21 PM, </span>张翼<span lang=EN-US> via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Greetings,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I want to discuss what should CA do if subscriber provide proof that their IP address belong to a Cloud Service Provider.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If subscribers that purchase Cloud service from a Cloud Service Provider (Such as Aliyun in China), and they have contract that indicate the IP address they are using is from the Cloud Service Provider.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But such contract or related document cannot prove that the IP address is from which ISP.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In this case, the certificate application material from users do not contain information about ISP, the Cloud Service Provider may signed many contracts with different ISP, those contract or agreement do not contain any specific IP address or IP range.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In addition Cloud Service Provider refuse to provide contracts between them and ISP to CA because it’s confidential.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What we are trying to do is verify IP address belong to the Cloud Service Provider via public channel (Such as IP address tools).</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>(</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>No Certificate in this case issued yet</span><span style='font-size:11.0pt;color:#1F497D'>)</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In this case:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>1, Should this be sufficient to issue certificate?(1,files that prove IP is subscriber applied from Cloud Service Provider. 2,Public tools indicate this IP belongs to this Cloud Service Provider)</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2,Should CA take further actions such as contact ISP directly?(Note that this IP address can be from any ISP in the world, public IP address tools do not take any responsibility for “Bugs” or inaccurate info)</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>3,Any more document CA should request from subscriber, Cloud Service Provider or ISP?</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regards.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="m_-2084594990000481138_OLE_LINK13"></a><a name="m_-2084594990000481138_OLE_LINK10"></a><a name="m_-2084594990000481138_OLE_LINK11"></a><a name="m_-2084594990000481138_OLE_LINK12"></a><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Zhang Yi</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Certificate Division Competent</span></b><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>China Financial Certification Authority </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Business Department</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Address: 20-3 PingYuanLi,CaiShiKou South Avenue, XiCheng District, Beijing, P.R.China</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Postcode: 100054</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>TEL: <a href="tel:+86%2010%205095%205017" target="_blank">+86 010-50955017</a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Mobile: <a href="tel:+86%20185%201028%200028" target="_blank">+86 18510280028</a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#1F497D'>Email: </span><span lang=EN-US><a href="mailto:zhangyi@cfca.com.cn" target="_blank"><span style='font-size:11.0pt;color:#1F497D'>zhangyi@cfca.com.cn</span></a><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></div></body></html>