<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jul 25, 2017, at 12:25 PM, Geoff Keating <<a href="mailto:geoffk@apple.com" class="">geoffk@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On 25 Jul 2017, at 12:01 pm, Peter Bowen via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Erwann,</div><div class=""><br class=""></div><div class="">Thank you for your detailed feedback and I appreciate you providing context for your vote.</div><div class=""><br class=""></div><div class="">With regards to reserved IP addresses, the definition in the current BRs allows a CA to deliver a certificate for 192.0.0.9.  They also allow a CA to deliver a certificate for 192.168.1.1.  This is because the current language (which has been in the BRs since at least V1) says “Reserved IP Address” is only defined by the whole /8 being reserved.  This means only 0/8, 10/8, 127/8 and 224/3 are currently Reserved IP v4 addresses.  While I agree we may be able to further restrict issuance, this ballot covers the common cases.</div></div></div></blockquote><div class=""><br class=""></div><div class="">That’s not what the language says… the new language says</div></div></div></div></blockquote><div><br class=""></div>By “current” language I meant the language in BR 1.4.9, which says:</div><div><br class=""></div><div>Reserved IP Address: An IPv4 or IPv6 address that the IANA has marked as reserved: </div><div><a href="http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml" class="">http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml</a></div><div><a href="http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml" class="">http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml</a></div><div><br class=""></div><div>This is the language that only reserves /8 or larger ranges for IP v4.<br class=""><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class=""><blockquote type="cite" class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><blockquote type="cite" class=""><div class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="WordSection1" style="page: WordSection1; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; line-height: normal;"><p class="line874" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">F. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Reserved IP Address" with the following: An IPv4 or IPv6 address that the IANA has "False" for Globally Reachable in either of the IANA Special-Purpose IP Address Registries: <o:p class=""></o:p></p><p class="line867" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><a href="https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" class="" style="color: rgb(149, 79, 114);">https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml</a> or <o:p class=""></o:p></p><p class="line867" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><a href="https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" class="" style="color: rgb(149, 79, 114);">https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml</a><o:p class=""></o:p></p></div></div></blockquote></div></div></div></div></blockquote></div></div></blockquote><br class=""></div><div class="">and the first of those links has 192.168.0.0/16 marked as ‘false’ for globally reachable.  Now, it’s true that 192.0.0.9/32 is marked ‘true’ for globally reachable, but I don’t think that anyone should be able to authenticate themselves as controlling that address, so no CA would issue a certificate containing that address.</div></div></div></div></blockquote></div></body></html>