<div dir="ltr"><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 7, 2020 at 4:14 AM Adriano Santoni via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><font face="Calibri">Ryan,</font></p>
<p><font face="Calibri">thank you for your remarks, but I am not
sure I fully understand your explanation.</font> <br>
</p>
<p>I never suggested that there are RIRs that are also CAs. And I am
aware of the fact that domains are registered via a hierarchical
organization of entities, ultimately by Registrars, while the
thing is different for IP addresses, for which there is no real
equivalent of a Registrar.<br>
</p>
<p>Allow me to make a concrete example, just for me to understand
better.</p>
<p>Let's assume that a CA is also an ISP (Internet Service Provider)
that manages a certain number of nets (ranges of IP addresses), as
attested by the relevant RIR. In other words, this CA/ISP is the
"responsible organization" for those ranges of IP addresses. Now,
let's assume this CA also offers a range of hosting services,
among which server hosting with dedicated IP addresses. In such
case, the CA/ISP knows for certain, based on its records, which
customers have bought such service and (therefore) controls which
IP addresses. No-one else, in fact, has such knowledge but the
CA/ISP itself.<br>
</p>
<p>If I am not mistaking, you say that even in this case, the
records of the CA/ISP (the contracts for server hosting with
dedicated IP addresses) are Not a valid proof that a certain
customer controls certain IP addresses; did I understand
correctly?</p></div></blockquote><div><br></div><div>Yes, it is absolutely not correct or sufficient.</div><div><br></div><div>This is no different than a CA saying "Well, we know we own the domain name" and skipping domain validation: that would be misissuance, and *not* something allowed in 3.2.2.4.12.</div><div><br></div><div>3.2.2.4.12 only applies if you are the Registrar (i.e. contracted and registered with ICANN), not simply the Registrant. So you can't just issue certs for whatever host name because your customer happens to host with you: mere hosting doesn't make you a contractually regulated Registrar. Because there is no equivalent of Registrars within the RIR space, of course it makes sense that 3.2.2.5 doesn't have an equivalent.</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<p>Adriano </p>
<p><br>
</p>
<div>Il 04/08/2020 17:13, Ryan Sleevi ha
scritto:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Adriano: Are you aware of any RIRs that are also
CAs? I'm not sure I am, and the 3.2.2.4.12 only applies if the
CA is the Registrar, which is the equivalent function
(approximately) within DNS as the RIR within the IP address
space*.
<div><br>
</div>
<div>If you take your description and apply its counterpart to
DNS, we would say:</div>
<div>"If a CA is also a domain name registrant and is managing
its own domains, the CA can know with certainty that the
Applicant controls its domain name."</div>
<div><br>
</div>
<div>Which we'd quickly see as silly, because that would bypass
any domain validation at all!</div>
<div><br>
</div>
<div>
<div>Methods 3.2.2.5.2 / 3.2.2.5.5 allow you to retrieve the
relevant AS records from the RIR and use that to perform the
validation activities. However, because the AS records are
maintained by the RIR, unless you are the RIR, you can't
correctly implement an "Authorization to manage the AS
record is authorization to issue" (akin to the 3.2.2.4.12
method you mention) without some demonstration of proof you
can manage the AS record - which is what 3.2.2.5.2 /
3.2.2.5.5 are trying to work around.</div>
<div><br>
</div>
<div>Not sure if any of this made sense, but hopefully?</div>
<div><br>
</div>
<div>* Yes, this blurs the registrar / registry distinction,
but the RIRs don't subdelegate the master registration
functions in the way the DNS registrar/registry split does,
and everyone working with the RIR is effectively a direct
registrant.</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Aug 4, 2020 at 5:14 AM
Adriano Santoni via Validation <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><font face="Calibri">Hi all,</font></p>
<p><font face="Calibri">I have a doubt regarding the
validation of IP addresses. <br>
</font></p>
<p><font face="Calibri">Maybe I am just overlooking some
word or sentence in the BR that solves my doubt, but
right now I just cannot see it.<br>
</font></p>
<p><font face="Calibri">Among the methods allowed by the BR
for the validation of domains, we have method #12:</font></p>
<p><font face="Calibri">"</font><font face="Calibri">3.2.2.4.12
Validating Applicant as a Domain Contact</font></p>
<p><font face="Calibri">Confirming the Applicant's control
over the FQDN by validating the Applicant is the Domain
Contact. This method may only be used if the CA is also
the Domain Name Registrar, or an Affiliate of the
Registrar, of the Base Domain Name."</font></p>
<p><font face="Calibri">If I am not overlooking anything, it
seems that we do not have a similar method for IP
addresses, and my doubt is then "why".<br>
</font></p>
<p><font face="Calibri">If a CA is also an Autonomous System
and is directly managing a dedicated server - on a
specific IP address - for the Applicant, the CA knows </font><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri">with certainty </font></font></font><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri"><font face="Calibri">that the
Applicant controls such IP address, based on
its records.<br>
</font></font></font></font></font></font></font></p>
<font face="Calibri">TIA for any hints and remarks,</font>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<p><br>
</p>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote>
</div>
</blockquote>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</blockquote></div></div>