[cabfpub] Proposed new ballot on IP Addresses in SANs

Wayne Thayer wthayer at godaddy.com
Sat Apr 16 01:31:41 UTC 2016


Adding some history:

The number of certlint findings that Peter Bowen published back in November support Rick’s argument that we really aren’t getting along without this: https://docs.google.com/spreadsheets/d/1lJt-1tkgKcbw5woEr4-tcpqB-M-HKwjFNSdX2jla2EU/edit?usp=sharing

This is part of a long thread in which it is suggested that IP addresses be placed in multiple CN entries and that this problem should be resolved by the CAB Forum: https://groups.google.com/d/topic/mozilla.dev.security.policy/Av6oZxbjvB4/discussion

The discussion goes back to at least August, including this post in which Ryan states that CAs can make this work without violating any RFCs, but only if the certificate doesn’t also contain any hostnames: https://cabforum.org/pipermail/public/2015-August/005851.html

I would like to see more discussion and a clear resolution to this issue.

Rick - I will endorse your ballot.

Thanks,

Wayne

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Friday, April 15, 2016 4:46 PM
To: Richard Barnes <rbarnes at mozilla.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs

Richard, some of us CAs have “gotten along” by issuing certs that violate this part of the BRs. Given that customers can only get certs that work in Windows if we violate this part of the BRs, and given that Microsoft isn’t able or willing to patch all old versions of Windows to address this, I’d like to legalize what we’ve been forced to do.

-Rick

From: Richard Barnes [mailto:rbarnes at mozilla.com]
Sent: Friday, April 15, 2016 3:43 PM
To: Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
Cc: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs

Rick: This seems pretty abusive.  Given that apparently you've gotten along without this so far, what's the compelling use case?

On Fri, Apr 15, 2016 at 6:09 PM, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> wrote:
It’s come to our attention that all versions of Windows prior to Windows 10
cannot handle SANs of type IPAddress. Those older versions correctly handle
IP addresses in SANs if they are of type dNSName. Jody from Microsoft has
confirmed this.

I’d like to propose a ballot to allow IP addresses in SANs of type dNSName
to allow for this. Jody has said he would endorse. I need another endorser.
The proposed change is this (added text between + signs):

7.1.4.2.1 Subject Alternative Name Extension
Each entry MUST be either a dNSName containing the Fully‐Qualified Domain
Name +or the IP address of a server,+ or an iPAddress containing the IP
address of a server

-Rick

_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160416/0034e7d7/attachment-0003.html>


More information about the Public mailing list