[cabfpub] =?gb2312?B?Rlc6IFF1ZXN0aW9uIDQgqEMgRG9tYWluIFZhbGlkYXRpb24gcHJlLWJhbGxv?= =?gb2312?Q?t?=
kirk_hall at trendmicro.com
kirk_hall at trendmicro.com
Wed Nov 18 23:37:30 UTC 2015
Wayne Thayer said he tended to agree with Peter Bowen¡¯s comments, and suggested the following changes:
(1) Change ¡°Authorization Domain¡± in this section to ¡°FQDN¡±, so Method 8 would read as follows:
8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name FQDN in accordance with section 126.96.36.199
(2) As a separate matter Wayne said:
¡°Also, section 188.8.131.52 includes a practical control method that we should consider updating to match the new method 6 and an ¡°any other method¡± option that we should consider removing as part of this ballot.¡±
Here is what Sec. 184.108.40.206 says now, with some language underlined for discussion. [Question from Kirk ¨C now that we can no longer issue public certs for IP Addresses, should we simply DELETE BR 220.127.116.11 now?]
18.104.22.168. Authentication for an IP Address
For each IP Address listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant has control over the IP Address by:
1. Having the Applicant demonstrate practical control over the IP Address by making an agreed©\upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;
2. Obtaining documentation of IP address assignment from the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC);
3. Performing a reverse©\IP address lookup and then verifying control over the resulting Domain Name under Section 22.214.171.124; or
4. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant has control over the IP Address to at least the same level of assurance as the methods previously described.
Note: IPAddresses may be listed in Subscriber Certificates using IPAddress in the subjectAltName extension or in Subordinate CA Certificates via IPAddress in permittedSubtrees within the Name Constraints extension.
From: Kirk Hall (RD-US)
Sent: Thursday, November 12, 2015 5:08 PM
To: CABFPub (public at cabforum.org)
Subject: Question 4 ¨C Domain Validation pre-ballot
Question 4 ¨C Domain Validation pre-ballot
Again, Peter Bowen of Amazon did not submit specific new language, but posed the following comment about new Method No. 8 shown below:
Proposal 4: In line K of current draft (Method No. 8)
¡°Conversely, in item K, using Authorization Domain seems inappropriate. Just because I control the IP address of corp.example.com<http://corp.example.com> doesn't mean I have control payments.corp.example.com<http://payments.corp.example.com>.¡±
Here is the current Ballot language for Method No. 7:
[Current Ballot language]
8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name in accordance with section 126.96.36.199; or
On the call today, Wayne Thayer thought he agreed with Peter¡¯s comment, and offered to come up with revised ballot language on this issue. There was no other discussion.
Question for Discussion: Should proving domain control for an SLDN (Base Domain) or a FQDN by showing the applicant controls an IP address returned from a DNS lookup for A or AAAA records be sufficient to show domain control for all higher level FQDNs also?
To Peter Bowen: If you want to comment on this issue, please email to me and I will post to the Public list.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public