[cabfpub] =?gb2312?B?VldHIFF1ZXN0aW9uIDQgqEMgRG9tYWluIFZhbGlkYXRpb24gcHJlLWJhbGxv?= =?gb2312?Q?t?=

[kirk_hall at trendmicro.com]

You are right ¨C sorry, I forgot.
So to Wayne¡¯s question ¨C do we need to modify BR 3.2.2.5 to align with Method 6 and eliminate the current ¡°any other method¡± language of subsection (4)?
Here is new Method 6 for BR 3.2.2.4 as it now stands:
6. Having the Applicant demonstrate control over the requested FQDN by installing a Random Value (contained in the name of the file, the content of a file, on a web page in the form of a meta tag, or any other format as determined by the CA) under "/.well-known/validation" directory on an Authorized Domain Name that can be validated over an Authorized Port; or
From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Wednesday, November 18, 2015 4:42 PM
To: Kirk Hall (RD-US); CABFPub (public at cabforum.org)
Subject: RE: Question 4 ¨C Domain Validation pre-ballot

Kirk ¨C we can still issue certificates to public IP addresses (not Reserved IP addresses or Internal names).

Doug

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>
Sent: Wednesday, November 18, 2015 6:38 PM
To: CABFPub (public at cabforum.org<mailto:public at cabforum.org>) <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [cabfpub] FW: Question 4 ¨C Domain Validation pre-ballot

Wayne Thayer said he tended to agree with Peter Bowen¡¯s comments, and suggested the following changes:

(1)    Change ¡°Authorization Domain¡± in this section to ¡°FQDN¡±, so Method 8 would read as follows:

8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name  FQDN in accordance with section 3.2.2.5



(2)  As a separate matter Wayne said:



¡°Also, section 3.2.2.5 includes a practical control method that we should consider updating to match the new method 6 and an ¡°any other method¡± option that we should consider removing as part of this ballot.¡±



Here is what Sec. 3.2.2.5 says now, with some language underlined for discussion.  [Question from Kirk ¨C now that we can no longer issue public certs for IP Addresses, should we simply DELETE BR 3.2.2.5 now?]


3.2.2.5. Authentication for an IP Address
For each IP Address listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant has control over the IP Address by:
1. Having the Applicant demonstrate practical control over the IP Address by making an agreed©\upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;
2. Obtaining documentation of IP address assignment from the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC);
3. Performing a reverse©\IP address lookup and then verifying control over the resulting Domain Name under Section 3.2.2.4; or
4. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant has control over the IP Address to at least the same level of assurance as the methods previously described.
Note: IPAddresses may be listed in Subscriber Certificates using IPAddress in the subjectAltName extension or in Subordinate CA Certificates via IPAddress in permittedSubtrees within the Name Constraints extension.




From: Kirk Hall (RD-US)
Sent: Thursday, November 12, 2015 5:08 PM
To: CABFPub (public at cabforum.org<mailto:public at cabforum.org>)
Subject: Question 4 ¨C Domain Validation pre-ballot

Question 4 ¨C Domain Validation pre-ballot

Again, Peter Bowen of Amazon did not submit specific new language, but posed the following comment about new Method No. 8 shown below:

Proposal 4: In line K of current draft (Method No. 8)

¡°Conversely, in item K, using Authorization Domain seems inappropriate.  Just because I control the IP address of corp.example.com<http://corp.example.com> doesn't mean I have control payments.corp.example.com<http://payments.corp.example.com>.¡±


Here is the current Ballot language for Method No. 7:



[Current Ballot language]



8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name in accordance with section 3.2.2.5; or

On the call today, Wayne Thayer thought he agreed with Peter¡¯s comment, and offered to come up with revised ballot language on this issue.  There was no other discussion.

Question for Discussion: Should proving domain control for an SLDN (Base Domain) or a FQDN by showing the applicant controls an IP address returned from a DNS lookup for A or AAAA records be sufficient to show domain control for all higher level FQDNs also?


To Peter Bowen: If you want to comment on this issue, please email to me and I will post to the Public list.




TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151119/b48cfad5/attachment-0001.html