[cabfpub] Proposed new ballot on IP Addresses in SANs

Rick Andrews Rick_Andrews at symantec.com
Sat Apr 16 16:31:21 UTC 2016

I disagree with the tone that CAs are entirely to blame here. The BRs are baseline requirements, and browser vendors often say that they have the right to impose additional requirements above and beyond the BRs. When that happens, though, it sometimes puts CAs in a bind.

This is a case in which the BRs say we can't do something, but one browser vendor says we can. Ideally, Microsoft would have recognized this back before the BRs were adopted, and addressed it in their platform or lobbied to rewrite the requirement. But that didn't happen. We're trying to rectify the situation now.


On Apr 16, 2016, at 9:02 AM, Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>> wrote:

I really want to echo the concerns that Richard and Geoff have raised, and really push back on the notion that a CA was "forced" to violate the BRs. That's an extremely bold claim, and if that's the perspective that CAs are taking - that they're "forced" to violate the BRs if a customer wants something the BRs prohibit - then that greatly undermines trust in the CA and whether they are genuinely trying to help make the Internet a more secure place.

I am particularly troubled by this argument, because as Wayne notes, I pointed out to you a solution for this in August of 2015, and now it's April of 2016. You've had 8 months to deploy a solution that's fully compliant with the BRs - after nearly a decade to discover the behaviour I mentioned, and nearly five years since the BRs were passed to actually investigate. This suggests either a lack of creativity on the part of the CAs doing this to actually look for viable, compliant solutions, a lack of engineering ability on the part of CAs to actually implement, or a lack of care towards actually following the BRs. I'd love to know which it is, because all are troubling.

The argument itself is fairly troubling, especially considering the recent remarks about wildcard handling. Would you see it fit to issue wildcards for IP addresses, given that Microsoft CryptoAPI - for preciously the reasons being discussed in this thread here - inappropriately allows *.168.0.1 to match Just see http://www.westpoint.ltd.uk/advisories/wp-10-0001.html if you're not familiar with those details.

I find the justifications for proposing such a change deeply troubling, and suggests that some CAs aren't interested in finding technical solutions. Instead, as Richard has pointed out, it seems some are looking to ignore the standards they're held to for so long, and so thoroughly, so as to justify relaxing the standards. And that should be concerning for all members, especially those who have taken the stance of adhering to the requirements put forth, potentially at cost to their businesses and customers.

We simply cannot support a ballot like that proposed, since there seems to have been zero good-faith effort to actually explore a solution that doesn't involve violating the BRs, despite having one available for so long.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160416/8ddc1bc1/attachment-0003.html>

More information about the Public mailing list